mqttmosquittolibmosquitto

MQTT dynamic security plugin API control - client/role/group management using publish/subscribe commands

I am using the built-in security-plugin from Mosquitto to define access to my broker. So far I've set clients, roles and groups using mosquitto_ctrl <connection options> dynsec <command> ... commands. (see mosquitto)

The broker is running in a Docker container. However, I'd like to manage the dynamic security plugin from another Docker container, i.e. from outside. To be precise, I'd like to connect to the broker (e.g. with python paho) with the admin credentials and publish modifications to the security plugin.

I assume that this must be possible as in the documentation it is explicitly mentioned:

All control of the plugin after initial installation is through the MQTT topic API at $CONTROL/dynamic-security/v1. This allows integrations to be built, but isn't the best choice for people to use directly.

E.g for listing all clients I imagine using something like

mosquitto_pub -h localhost -p 1883 -t $CONTROL/dynamic-security/v1 -m "{"command":listClients}" -u "mqtt-admin" -P "pwd"

and

mosquitto_sub -h localhost -p 1883 -t $CONTROL/dynamic-security/v1 -u "mqtt-admin" -P "pwd"

Unfortunately, I couldn't get it working. Anybody knows how to use the plugin as an API?
Thanks!

P.S.: I've found some more hints using publish commands on the mosquitto github repo, saying the message should look like this: :

{
    "commands":[
        {
            "command": "listClients",
            "verbose": false,
            "count": -1, # -1 for all, or a positive integer for a limited count
            "offset": 0 # Where in the list to start
        }
    ]
}

Edit:
I was finally able to resolve it with the help of hardillb.

  1. subscribe like so:
mosquitto_sub -h localhost -p 1883 -t '$CONTROL/dynamic-security/v1/#' -u "mqtt-admin" -P "pwd"
  1. publish like so:
mosquitto_pub -h localhost -p 1883 -t '$CONTROL/dynamic-security/v1' -m '{"commands": [{"command": "listClients"}]}' -u "mqtt-admin" -P "pwd"

The list of clients will then be given on the subscription side.

Solution

  • You need to put single quotes (not double quotes) round the topics as the shell will try to replace $CONTROL as an environment variable which is most likely empty

    mosquitto_pub -h localhost -p 1883 -t '$CONTROL/dynamic-security/v1' -m "{"command":listClients}" -u "mqtt-admin" -P "pwd"