Access control in Mosquitto MQTT Broker

Question

How can I restrict publishing to only selected users on a Mosquitto MQTT broker?

I want some users to be able to subscribe, some other users to be able to publish and I need these two groups of users separated.

I know there is an authorization control that allows access with username:password. But it is not clear to me how to assign roles to users.

If there are no such role assignments, is setting different ports for publishers and subscribers possible?

Answer 1

The man page for the mosquitto config file covers all this.

The acl_file option specifies the file that holds the ACL list. The file contains groups of entries that control access to either a topic or pattern to match against a topic. e.g.

user user1
topic read foo/bar

user user2
topic readwrite foo/bar

This allows user1 to read from topic foo/bar and allows user2 to both read and write to the topic.

The password_file option can be used to specify the file to find username/password mappings. This file is edited with the mosquitto_passwd command, here is it's man page.

Both these options can be replaced by a plugin that provides an API to authenticate and authorize users. At the moment there is only one publicly available plugin that supports multiple different database backends to store user/acl data. You can find it here