Search code examples
mosquitto

unable to use mosquitto_pub with dynamic security to create new users

My question is how come I can't use mosquitto_pub to create new users?

I can't seem to use the mosquitto_pub command to create new users in Dynamic Security based on instructions given by this readme file:

https://github.com/eclipse/mosquitto/blob/master/plugins/dynamic-security/README.md

In terms of what I tried, I successfully made a new user and role first with mosquitto_ctrl command just to ensure dynamic security was working. Then I tried the mosquitto_pub command, which failed. Let me provide details for both the mosquitto_ctrl and mosquitto_pub scenarios below.

SUCCESS: Using mosquitto_ctrl

I created a role like this:

mosquitto_ctrl -u steve -P Pass1234 dynsec createRole role0
mosquitto_ctrl -u steve -P Pass1234 dynsec addRoleACL role0 publishClientSend pizza allow
mosquitto_ctrl -u steve -P Pass1234 dynsec addRoleACL role0 subscribeLiteral pizza allow

Then I made a user like this:

mosquitto_ctrl -u steve -P Pass1234 dynsec createClient user0
mosquitto_ctrl -u steve -P Pass1234 dynsec addClientRole user0 role0 1

I open one terminal and put in this command:

mosquitto_sub -u user0 -P Pass1234 -t chocolate

I open second terminal window and put this command:

mosquitto_pub -u user0 -P Pass1234 -t chocolate -m 'I love chocolate'

The result is that the first terminal windoow prints 'I love chocolate'.

FAIL: Using mosquitto_pub

Since the role0 already exists, I figure I can create a new user and just assign role0 to that user. I run this command:

mosquitto_pub -u steve -P Pass1234 -t '$CONTROL/dynamic-security/v1' -m '{"command": "createClient", "username":"user1", "password":"Pass1234", "roles":[{"rolename":"role0", "priority":1}]}';

Then I try this command

mosquitto_sub -u user1 -P Pass1234 -t chocolate

The result is Connection error: Connection Refused: not authorised. If I do a systemctl restart mosquitto.service, both user0 and user1 get the same connection not authorized error. Throughout all the experiments above, the /etc/mosquitto/dynamic-security.json only shows the client steve and the admin role that I initially and manually set up after fresh installation of mosquitto 2.0.

Solution

  • I figured it out. This command worked:

    mosquitto_pub -u steve -P Pass1234 -t '$CONTROL/dynamic-security/v1' -m '{"commands":[{"command": "createClient", "username":"user0", "password":"Pass1234", "roles":[{"rolename":"role0", "priority":1}]}]}';

    Basically I needed to wrap my command with {"commands": ... }.

    AND I also had to make sure I remedy this situation here:

    Prevent systemctl restart mosquitto.service from resetting Dynamic Security