I am working on Mosquitto and plan to use Redis as the back end to handle both username/password pair authentication and ACL. I am using JPmens' authentication plugin to do this.
the mosquitto conf:
auth_opt_backends redis
auth_plugin /etc/mosquitto/auth-plug.so
auth_opt_redis_host 127.0.0.1
auth_opt_redis_port 6379
auth_opt_redis_userquery GET %s
auth_opt_redis_aclquery GET %s-%s
Following name/password pairs are working fine for the authentication
SET user1 PBKDF2$sha256$901$Qh18ysY4wstXoHhk$g8d2aDzbz3rYztvJiO3dsV698jzECxSg
Following settings won't work for the ACL:
SET user1-test 2
Following are the logs of mosquitto :
1507037072: Denied PUBLISH from mosqpub/3838-ip-172-31- (d0, q0, r0, m0, 'user1-test', ... (4 bytes))
1507037072: Received DISCONNECT from mosqpub/3838-ip-172-31-
So, whenever I try to pub/sub mosquitto authenticate the user but didn't allow for publishing and disconnect the user.
Testing with:
mosquitto_pub -p 1884 -t "test" -m "demo" -u user1 -P xyz
for sub:
mosquitto_sub -p 1884 -t "test" -u user1 -P xyz
OK, I've worked this out.
There is an important bit missing from the logs you provided. You should have included the following line:
1507135115: ACL denying access to client with dangerous client id "mosqpub/2232-tiefighter"
The problem is the plugin is blocking because the client id contains a '/'
The following section is in the code:
/* We are using pattern based acls. Check whether the username or
* client id contains a +, # or / and if so deny access.
*
* Without this, a malicious client may configure its username/client
* id to bypass ACL checks (or have a username/client id that cannot
* publish or receive messages to its own place in the hierarchy).
*/
The solution is to set the client id for mosquitto_sub and mosquitto_pub with the -i option e.g.:
mosquitto_pub -p 1884 -t "test" -m "demo" -u user1 -P xyz -i publisher