What is the scope of user authentication in Mosquitto Broker?

Question

I want to integrate MQTT with Mosquitto in my platform. It seems I can have an user authentication (user/password but I prefer a token based, but that's another question). Everything I read it seems to handle whether user can access the server or not, but not sure if I can establish permissions to restrict if a client can or not subscribe to a particular publication (something file permissions in unix)

I'm looking at docs and seems there is no option to handle it or to delegate this control, so I guess it can't be done. But I would like to know for sure

Answer 1

The mosquitto doc should be pretty clear, it covers both Authentication and Authorisation.

Out of the box mosquitto supports a password file (specified by the password_file config argument) that holds username/password information. This combined with settings the allow_annonymous argument to false will make sure you can only connect to the broker as an authenticated user.

The acl_file config option points to the list of ACLs that control what a topics a given user can subscribe or publish to. It uses the following format:

user <username>
topic [read|write|readwrite] <topic>
pattern [read|write|readwrite] <topic-pattern>

A username, followed by lines that give a specific topic or topic pattern and what level of access that user should have. (patterns can contain %c to substitute for the clientID or %u to substitute for the username).

As well as the file based support, mosquitto has a authentication plugin api which means you can off load all that information to code that can look users and acls up in a database. There is an example plugin by JPMens https://github.com/jpmens/mosquitto-auth-plug