Skip to main content

Dynamic Security

The Cedalo Management Center facilitates managing the dynamic security feature added in version 2.0 of Eclipse Mosquitto.

info

See here for a detailled description of the API of the dynamic security feature.

caution

The dynamic security feature is available since version 2.0 of Eclipse Mosquitto. If you are still using version 1.6, see this guide on how to migrate.

Clients#

This section describes how to manage clients. All actions can be performed from the clients overview page, which can be opened from the main menu under the "Dynamic Security" section. Clients not listed in the client overview table will automatically get the default ACL assigned.

Create clients#

To create a client, click on the +-Button on the lower right. After that the following dialog opens:

image

The following properties can be set for a new client:

  • Username: the username of the client, i.e., the username that is used for login.
  • Password: the password for the client, i.e., the password that is used for login.
  • Client id: the id of the client.
  • Text name: an optional textual name for the client, e.g., to specify the email adress if the client is a person.
  • Text description: an optional textual description for the client.

Username and passsword are required for creating a client. The client id, text name and the text description are optional.

image

After filling out the form fields, press the save button to create the new client. You then will be redirected to the client overview page and the new client should be listed there:

image

By default the set settings of your client are protected. You can only edit details, when you first click on the "edit" icon on the bottom and finish the edit with a "save". Delete a client by clicking the "trash" icon in the client overview table.

Set client roles and groups#

You are able to add roles and groups to a client. In the client overview table you are able to set one or multiple roles or groups to a client. Open the dropdown box and select from the list.

info

A client will only be actually usable, if some kind of role is connected to the client. This could be directly or indirectly over a group which is connected to a role. The set ACLS in a role determine the rights of a client.

Disable / enable clients#

It is not always needed to delete a client. If you want to temporary disable a client, go to the client overview table and click the switch icon on the right side to enable or disable a client.

Groups#

This section describes how to manage groups. Groups serve as a hub to gather multiple clients and roles. The more clients are added to your broker the harded it gets to administer them. Groups can help you structure and quickly adjust your current setup.

Create groups#

Create a group by clicking the "+" Button on the bottom right corner. Set a name and description to remind yourself, why you added this particular group.

You can always later edit the group again by selecting the "edit" icon and saving your changes or delete the group by clicking the "trash" icon, if you don´t need it anymore.

Anonymous group#

Roles#

This section describes how to manage roles and ACLs. A role contains a number of ACLs, which either specifically allow or deny an action. Add as many ACLs as you need to a role.

Create roles#

Create a role by clicking the "+" Button on the bottom right corner. Set a name and description to remind yourself, why you added this particular role.

In the next step set the ACLs for the role. You can find the ACLs by selecting a role and switching from the "details" tab to the "ACLS" tab.

Add ACLs#

The following ACL types are available:

  • publishClientSend: Restrict the topics this client is allowed to use when publishing to the broker
  • publishClientReceive: Restrict the topics this client is allowed to use when receiving published messages from the broker
  • subscribeLiteral: Restrict the exact topic filters that this client is allowed to subscribe to. Setting to # would mean the client cannot subscribe to the # topic, but could subscribe to test/topic, for example.
  • subscribePattern: Restrict a range of topic filters that this client is allowed to subscribe to.
  • unsubscribeLiteral: Restrict the exact topic filters that this client is allowed to unsubscribe from. Setting to # would mean the client cannot unsubscribe from the # topic, but could unsubscribe from test/topic, for example.
  • unsubscribePattern: Restrict a range of topic filters that this client is allowed to unsubscribe from.

Select the ACL type in the dropdown, define the topic and priority of the ACL and decide between "allow" and "deny".

Configuring default access#

The initial configuration sets the default ACL type behaviours to:

  • publishClientSend: deny
  • publishClientReceive: allow
  • subscribe: deny
  • unsubscribe: allow

You can edit the default settings by clicking on the "edit default ACL Access" icon below the roles overview table.