mosquitto ACL to restrict client

Question

I have mosquitto with TLS working and want to add ACL to restrict client from reading/writing/creating topics.

All client to publish to /device/registration topic, Client should only subscribe to client specific topic /device/certificate/<client_id>, for this I have this in ACL file

mosquitto.acl

topic write /device/registration
pattern read /device/certificate/%c

How can I add backend process (backend-app client) to read/write to all these topics ?

Also completely bar all client from subscribing to topic $SYS/# and creating any other topics with any name ?

Answer 1

OK, so the ACL file normally applies rules to specific users, with each users set of rules being dictated by a leading user <username> entry.

Any rules before the first user <username> entry are applied to any anonymous users (assuming allow_anonymous true is in the config file).

At the moment your rules apply to all anonymous users.

The easiest way to add a rule for the backend service is to have it sign in as a specific user and have an explicit rule to allow that user. e.g.

topic write /device/registration
pattern read /device/certificate/%c

user backend-app
pattern readwrite #

This will allow the backend-app user to both publish and subscribe to any topic. You can specify the user/passwords in the file set with the password_file setting. (But if you are going to be adding users/devices dynamically it might be better to look at using the auth_plugin settings to access the ACL/User/Password details from a database that can be easily updated.)

User/password for device authorisation is better than just using client_id's because there is nothing to stop somebody from setting their client_id to that matching anybody elses.