I want to restrict my microservices to publish and/or subscribe to only specific mqtt topics in my eclipse mosquitto broker (2.0.20, docker).
The restrictions in my acl file work fine, but I can't see any warning in neither client nor broker! My minimal reproducer (as pushed to GitHub minimal reproducer):
mosquitto.acl
user joe
topic readwrite allowed
mosquitto.conf
allow_anonymous false
password_file /mosquitto/config/passwd
listener 1883 0.0.0.0
log_dest stdout
log_type all
acl_file /mosquitto/config/mosquitto.acl
When I publish via
mosquitto_pub -t forbidden -m hi --debug -u joe --pw pwdjoe1
I get exit code 0 and no warnings. But none of the subscribers is notified (acl is found and applied). The debug output is:
Client null sending CONNECT
Client null received CONNACK (0)
Client null sending PUBLISH (d0, q0, r0, m1, 'forbidden', ... (2 bytes))
Client null sending DISCONNECT
What I tried:
allowed yields the same output, but the message will be received by all subscribers.Short answer, you don't.
Mosquitto will just silently drop messages for topics the client cannot publish to.
And likewise it just doesn't deliver messages you can't subscribe to.
Mosquitto's ACLs work purely at message delivery time unlike some brokers that will reject a subscription if it doesn't match an allowance rule.