%u and %c in field 'topic' of table acls about mosquitto-auth-plug HOT 6 CLOSED

Nice idea, but hard to do because it would mean a table scan over the database to find all possible combinations. In short: no. ;-)

Unless, that is, you have some clever way of doing this.

from mosquitto-auth-plug.

I do not mean that %u and %c is used in the SQL query that retrieve topics, but they could be interpreted once retrieved by the query. For example, in the dafult query

SELECT topic FROM acls WHERE (username = '%s') AND (rw >= %d)

returned topics could be:

/foo
/foo/%u/#
/foo/%c/+

then, if the user 'joe' is trying to subscribe /foo/joe/score, it will be feasible due to /foo/%u/#

Allowing the use of %c and %u in the query itself, of course, will be hard to do.

from mosquitto-auth-plug.

You can solve using something like:
auth_opt_aclquery SET @username = '%s'; SET @rw = %d; SELECT CONCAT(topic,'/',@username,'/+') FROM acls WHERE (username = @username) AND (rw >= @rw)

from mosquitto-auth-plug.

That is very clever. ;-)

I will, nevertheless, revisit this in the coming weeks; maybe we can do
something along the lines of what OP requested.

from mosquitto-auth-plug.

Hi JPMens, gallog,

a clever solution, indeed. However it is not completely suitable for me. Maybe the substitution of %s instead of %u is valid for me. But what I need is that mosquitto-auth-plug supports the same substitution patterns that Mosquitto uses.

http://mosquitto.org/man/mosquitto-conf-5.html (the acl_file file option)

So, I need %c (for client ID substitution) and %u (for username substitution). As %s in mosquitto-auth-plug is the same than %u in mosquitto, your solution could be interesting. But what about %c? %d (in mosquitto-auth-plug) is not the same that %c (in mosquitto).

Well.... unless %c and %u are present in the context of mosquitto-auth-plug. If they are present (I did not try it) then I could use them in the way you have suggested. However, I thing this should be a temporary solution and mosquitto-auth-plug should maintaint the same ACL features that Mosquitto (I know... this is opensource so I could do it myself; do not flame me :-)). So, ACL management will be done only using our management UI, that configures them directly to the database. Using your suggestion requires the modification of mosquitto.conf in all the mosquitto bridges and restarting the mosquitto itself. :-(

Thanks both for your replies. Regards.

from mosquitto-auth-plug.

Great!! Many, many thanks... very useful. I'll try it in a few hours.

Regards.

from mosquitto-auth-plug.