Feature/add deny option for acl #1611
Conversation
|
Let me know if this feature seems reasonable and if any changes are required. |
|
Thank you for the nudge, and sorry for not getting to look at this earlier - I have been working on other things. I am definitely interested in this and will take a proper look soon. |
|
Looks like a neat feature! |
|
I think that's a good idea, ACL checking really has to be fast. Sorry to be a pain, each of the commits has to have a signed-off-by line in them. Could you fix that please? I think it might be easiest for you to squash all the commits together and do that at the same time. |
|
I'll work on adding a separate deny list for an early exit, definitely necessary for performance with large ACLs. I will try to squash once changes are made. |
…ain topics to be explicitly denied when they might otherwise be allowed through a more open read/write/readwrite option. Example: 'topic readwrite test/#' and 'topic deny test/hello/#' may be added so that a user can read/write to all test/# topics, except for test/hello/#. Signed-off-by: Brandt Hill <[email protected]> Change variable name for clarity. Remember to initialize bool (I'm bad at C). Signed-off-by: Brandt Hill <[email protected]> Add documentation to config man page Signed-off-by: Brandt Hill <[email protected]> Add test case for deny option Signed-off-by: Brandt Hill <[email protected]> Add deny acls to top of the list to preserve early exit Signed-off-by: Brandt Hill <[email protected]> change comments Signed-off-by: Brandt Hill <[email protected]>
|
I've changed it to add deny acl entries to the top of the list, so that once any denials have been passed during the check, any read|write matches can exit early with the assurance that it won't be caught by lingering denials. I've found this approach to be minimally invasive compared to adding a separate I've attempted to squash all of the commits into one with a signoff, but I'm not sure it had the desired effect. Edit- I successfully force pushed my squashed commit 👍 |
BrandtHill
force-pushed
the
feature/add-deny-option-for-acl
branch
from
54f58e3
to
16eecfc
Compare
ralight
force-pushed
the
develop
branch
2 times, most recently
from
cddcfb7
to
b91e783
Compare
BrandtHill
force-pushed
the
feature/add-deny-option-for-acl
branch
from
ffbc22e
to
16eecfc
Compare
ralight
force-pushed
the
develop
branch
2 times, most recently
from
0ed1b50
to
cf1c156
Compare
|
Let me know if my solution looks good. It should have no performance impact on existing ACLs. 👍 |
|
+1 - this feature will help my use case as well. |
|
Thanks @BrandtHill, and sorry for the delay getting to it. It looks nice and is now merged. |
|
Thank you so much, and I hope people find it useful and look forward to its release! |
This features adds an option to the acl_file to allow a user to be explicitly denied access to a topic that might otherwise be granted from a broader topic.
For example in an acl file:
The user
bobwould be granted read/write access to all topics matchingapi/#with the exception of topics matchingapi/sensitive/#.This allows us to configure mosquitto (no extra plugins) more easily without the need for extensive whitelists like this:
Because tests aren't passing on
developbranch currently, I also made these changes offmasterto test.I hope the purpose of these changes was made clear.
Brandt
make testwith your changes locally?