Skip to content

Mosquitto ACL setup

Åke Hedman edited this page Sep 2, 2021 · 1 revision

Mosquitto ACL setup

An acl (access control list) file can be used to restrict what can be done by users on different topics on a mosquitto broker. You can set which users that can read and write, only read, only write, or is denied from/to set topics. You also have the '+' and '#' wildcards at your disposal.

There are three levels of control you can set

  • topic
  • user
  • client

Controlling topic

If allow_anonymous is set to true then users can login to the broker without username/password. A line starting with topic such as

topic read test/#

will allow an anonymous user to read from the test/# topic. This means this user can read from test/A, test/B, test/a/b/c/d/e etc. But not write. Changing the line to

topic readwrite test/#

will allow the user to both read and write to the test/... topic. 'rteadwriteä is actually the default so

topic test/#

is the same as the setting above.

Controlling user

user works in the same way. Setting up

user lena
topic read vscp/#

will allow user lena to read the topic vscp and all subtopics. Writing this

user lena
topic read vscp/#
topic read super
topic read cool
topic write xxx
topic test
topic deny private

let the user lena read vscp and subfolders, read super (but not it's subfolders). read cool (but not it's subfolders), write to xxx (but not to it's subfolders, read write to the topic test. The topic private is not available to the user lena.

Controlling client

Using the keyword pattern you can set rights relative to the client id of the client. The setting

pattern write test/%c/state

allow a client to write to the set topic that is constructed by replacing %c with the client id of the connecting client.

One can also use %u in the pattern meaning the username of the logged in user.

Enabling ACL

Edit mosquitto.conf and set a path to your acl file to the acl file like

acl_file /etc/mosquitto/acl.example

There is a sample acl file in /etc/mosquitto you can start with.

Clone this wiki locally