ACL for MQTT clients using rabbit_auth_backend_http plugin
257 views
Skip to first unread message
Giovanni Foiani
Nov 4, 2015, 6:38:26 AM11/4/15
to rabbitmq-users
Hi everyone,
I'm using Rabbitmq 3.5.6 and rabbit_auth_backend_http for access control.
I'm also using MQTT plugin and I'd like to prevent MQTT clients to subscribe to specific topics.
I tried creating in advance mqtt-subscription-* queues and binding them to mqtt exchange only with the allowed topic, and granting mqtt clients olny with read permission on mqtt-subscription-* queues. What I've seen is that mqtt clients wants configure permission on mqtt-subscription-* queues and read permission on mqtt exchange in order to bind with their topic.
Is it possible to prevent that using rabbit_auth_backend_http plugin, denying access to client that subscribe to specific topics? To do that I need to get binding key data at plugin level..
Any other idea to do that?
Thanks
Giovanni
Michael Klishin
Nov 4, 2015, 7:04:56 AM11/4/15
to rabbitm...@googlegroups.com, Giovanni Foiani
On 4 November 2015 at 14:38:29, Giovanni Foiani (giovann...@gmail.com) wrote:
> Is it possible to prevent that using rabbit_auth_backend_http
> plugin, denying access to client that subscribe to specific
> topics? To do that I need to get binding key data at plugin level
Binding keys come from the client, so you can’t know them ahead of time. Some groundwork
> Is it possible to prevent that using rabbit_auth_backend_http
> plugin, denying access to client that subscribe to specific
> topics? To do that I need to get binding key data at plugin level
has been done to make topic-based authorisation for MQTT a reality but it currently requires a custom
plugin.
As explained previously on this list, MQTT the protocol lacks authorisation and error notifications for clients
(!!) and we’d like to wait until that changes before introducing a RabbitMQ-specific solution. But we may or may not
have a choice.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Giovanni Foiani
Nov 4, 2015, 8:51:13 AM11/4/15
to rabbitmq-users, giovann...@gmail.com
Thanks Michael,
I saw on mqtt plugin repo that is planned to add a "topic" resource in addition to queue and exchange resources.At the moment what I saw is that when an MQTT client subscribes to a topic are issued the following permissions requests to rabbit_auth_backend_http plugin:
- configure, read and write permissions for mqtt-subscription-* queue
- read permission for mqtt exchange
If I understand correctly, is planned to add in the next release a further request where the resource is 'topic' and contains the topic name for which the client is subscribing. Is it right?
If so, it should be fine for me. In this way I could check the topic name during authentication and prevent it if the topic does not meet certain criteria.
Please correct me if I'm wrong.
Thanks,
Giovanni
Michael Klishin
Nov 4, 2015, 8:56:09 AM11/4/15
to rabbitm...@googlegroups.com, Giovanni Foiani
On 4 November 2015 at 16:51:16, Giovanni Foiani (giovann...@gmail.com) wrote:
> If I understand correctly, is planned to add in the next release
> a further request where the resource is 'topic' and contains
> the topic name for which the client is subscribing. Is it right?
> If so, it should be fine for me. In this way I could check the topic
> name during authentication and prevent it if the topic does not
> meet certain criteria.
Correct but to really use it you currently need to develop your own plugin,
> If I understand correctly, is planned to add in the next release
> a further request where the resource is 'topic' and contains
> the topic name for which the client is subscribing. Is it right?
> If so, it should be fine for me. In this way I could check the topic
> name during authentication and prevent it if the topic does not
> meet certain criteria.
which is what the team that's contributed that small improvement did.
Reply all
Reply to author
Forward
0 new messages