Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

%c and %u not working with the dynamic security plugin. #2222

Open
rabirajkhadka opened this issue Jun 3, 2021 · 9 comments
Open

%c and %u not working with the dynamic security plugin. #2222

rabirajkhadka opened this issue Jun 3, 2021 · 9 comments
Labels
Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Enhancement A new feature for a minor or major release.
Milestone
2.1

Comments

@rabirajkhadka
Copy link

rabirajkhadka commented Jun 3, 2021
edited

For the roles assigned in the dynamic security plugin, the use of %c and %u are not working as expected as it's used with ACL file .
In the ACL file, the use of pattern readwrite data/%u/# allows the user named userone to access the topic data/userone/messages and similar for the other username but the same does not apply for the dynamic security plugin when used such characters.
Given below is my sample role configuration which allows topic subscription and publishing using the characters "%u" itself only.

{
                        "rolename":     "sampleRole",
                        "textname":     "TN",
                        "textdescription":      "TD",
                        "acls": [{
                                        "acltype":      "publishClientSend",
                                        "topic":        "%u/#",
                                        "priority":     0,
                                        "allow":        true
                                }, {
                                        "acltype":      "publishClientReceive",
                                        "topic":        "%u/#",
                                        "priority":     0,
                                        "allow":        true
                                }, {
                                        "acltype":      "subscribePattern",
                                        "topic":        "%u/#",
                                        "priority":     0,
                                        "allow":        true
                                }, {
                                        "acltype":      "unsubscribePattern",
                                        "topic":        "%u/#",
                                        "priority":     0,
                                        "allow":        true
                                }]
                }

We can create separate roles for the individual users appending the respective username in the ACLs topic but looking for the generic implementation of the automatic username fetching features based on characters such as %c or %u to be used with the dynamic security plugin.
Are there any other ways to define the roles to achieve the same thing?

Note: using both acl_file with content pattern readwrite %u/# and dynamic security plugin with the above-mentioned role didn't achieve the expected result.
@ralight
Copy link
Contributor

ralight commented Jun 10, 2021

I'm afraid at the moment the %c and %u options aren't available in the dynsec ACLs. I intend for them to be part of version 2.1.

@ralight
Copy link
Contributor

ralight commented Aug 22, 2021

The code in develop now supports %c and %u and will be part of 2.1.

@ralight ralight added this to the 2.1 milestone Aug 22, 2021
@ralight ralight added Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Enhancement A new feature for a minor or major release. labels Aug 22, 2021
@KaloNK
Copy link

KaloNK commented Oct 27, 2021

Hi,
hit the same problem, so i guess i will need to wait for 2.1 in December, but while at it ...
Are there any plans to add other certificate fields like:
OU: OrganizationalUnit
O: Organization
L: Locality
S: StateOrProvinceName
C: CountryName
It will be great to give devices with OU:Sensors the right to publish temperature data with a single rule for example and then control that right on sertificate generation without the need to modify config

@fellnerse
Copy link

@ralight awesome, I'm looking forward to this as well!

@yorch
Copy link

yorch commented Mar 23, 2022

Just came across this as I've started using this plugin. Great plugin, thanks! would you know when this functionality be released?

@guuslangelaar0
Copy link

Is there any information about when 2.1 will be released? https://projects.eclipse.org/projects/iot.mosquitto shows it should've been released 4 months ago

@moritzj29
Copy link

I just started to use the plugin and was hoping to use this functionality for creating my roles. Unfortunately 2.1 appears to be not released still??
Anyhow, the relevant commit in the development version is c9c5889

@ZaikinaEvgeniya-2
Copy link

I hope this will be in release soon

@EmixamPP
Copy link

Anyhow, the relevant commit in the development version is c9c5889

The first relevant commit is this one: 0cd2619

You can find the commit history for that plugin since that commit here: https://github.com/eclipse/mosquitto/commits/develop/plugins/dynamic-security?since=2021-06-10&after=1bb2299b0f3e44624cf3057f773cb8235e7f09b3+104

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Enhancement A new feature for a minor or major release.
Projects
None yet
Milestone
2.1
Development

No branches or pull requests
9 participants
@yorch @ralight @KaloNK @rabirajkhadka @moritzj29 @guuslangelaar0 @EmixamPP @fellnerse @ZaikinaEvgeniya-2