Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Taylor's Vault

MQTT

Plugins

Dynamic Security Plugin

This plugin provides a mechanism for authentication within MQTT. It allows for users (clients), groups, and roles to be created to specify what a specific user can subscribe and publish to.

Documentation

Setup

  1. In your mosquitto.conf file, you will add the following lines:

    plugin /mosquitto/config/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/config/dynamic-security.json

    The plugin line specifies the location on disk for the plugin. I know the docker containers come with this file, but I don”t remember where it is. To save me time I have copied it so that I can place it in the appropriate configuration folder.

    The JSON file provides the location for the dynamic security plugin to record the configuration including the users, groups, and roles. Passwords are stored in this file and are hashed, but this is certainly a file you do not want to get leaked.

  2. Initialize the dynamic-security.json file by running the following command:

    mosquitto_ctrl dynsec init path/to/dynamic-security.json <username>

    The username you pick will be given the default role of admin which has the following permissions:

    • publishClientSend: $CONTROL/dynamic-security/# - this allows the client to control the Dynamic security plugin.
    • publishClientReceive: $CONTROL/dynamic-security/# - this allows the client to receive information from the plugin. This is not necessary in the default configuration, but is included in case the default behaviour for publishClientReceive is set to deny.
    • subscribePattern: $CONTROL/dynamic-security/# - this allows the client to receive information from the plugin.
    • publishClientReceive: $SYS/# - this allows the client to see the broker metrics.
    • subscribePattern: $SYS/# - this allows the client to see the broker metrics.
    • publishClientReceive: # - this allows the client to examine the messages being published by other clients.
    • subscribePattern: # - this allows the client to examine the messages being published by other clients.
    • unsubscribePattern: # - this allows the client to undo previous subscriptions. This is not necessary in the default configuration, but is included in case the default behaviour for unsubscribe is set to deny.

    The admin user does not have access to publish to normal application topics in the # hierarchy by default. You are strongly encouraged to keep the admin user purely for administering the plugin, and create other clients for your application.

Control

Interact with the Dynamic Security plugin using the control topic API at $CONTROL/dynamic-security/v1 or through the mosquitto_ctrl command.

Each message sent to the control topic via MQTT can contain multiple commands grouped together. They are executed in the order of the array.

{
  "commands": [
    {
      "command": "createRole",
      "rolename": "",
      "acls": [
        {
          "acltype": "subscribePattern",
          "topic": "",
          "allow": true
        }
      ]
    },
    {
      "command": "createClient",
      "username": "",
      "password": "",
      "groups": [{ "groupname": "" }],
      "roles": [{ "rolename": "" }]
    }
  ]
}

Groups