New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: be able to use CN/Subject/SAN/whatever into a X.509 cert as the client_id #2886
Comments
How is that different from use_identity_as_username and putting %u in the ACL? |
Because doing this way you don't avoid managing usernames. |
If you're ignoring usernames anyway, combining There is a definite advantage in using clientids rather than usernames in that a clientid must be unique on the broker, whereas usernames could be shared. |
Writing this a different way - I think the feature already exists. |
Hello and thank you. |
I don't understand what you want the username for. Having a shared username for thousands of devices is basically the same as no authentication at all. So you have the clients require a certificate, their username and client id are identical and come from the certificate, the username isn't used for anything and your ACLs are defined based on the client id. Or did you want some different behaviour that requires all clients have the same username for another reason? |
In fact I don't want to use the username at all (except if I have to and I think at least 1 user must exist in MQTT). |
Thank you for the clarification. I am still convinced that this already exists for you. Use the config:
Then give your client their certificates. You clients should connect with no username, and no client id. If their certificate is accepted, the broker will extract the CN and copy it to the username of the client, and to the client id of the client. You do not need to manage any usernames. You can use the client id in your ACL. You do not need to have at least one username. |
I think you know better than I do about mosquitto used as a broker AND in a TLS context. |
Hello to all.
Maybe I'm wrong but here it is.
From the broker point of view,
to be able to extract information from the certificate like CN/whole subject/SAN and assign it to the client id with a directive like
use_identity_as_clientid
.Advantage?
No need to manage thousands of users when you have thousands of devices. That's really a pain in the ass! Don't understand you tolerate that people.
The use of %c mark in ACL will be sufficient to forbid a client to see other clients' queues and every client will be under the same username.
If I understand right,
use_username_as_clientid
does exactly the opposite.db
The text was updated successfully, but these errors were encountered: