How to Authorize or limit user for not to subscribe and publish particular Topic in ejabberd MQTT module?

Question

I am using ejabberd 19.02 for MQTT communication between client. I can Authenticate user using "external" auth method - by just validating user name and password.

I also have requirement that one user is allowed to publish one topic and another user is not allowed to publish that topic. The same for the subscription as well. I believe it is Authorization or Access control. How to achieve above in the ejabberd MQTT server ?

I saw "Access rules" configuration but it seems it not matching with topic subscription/publish limitation to some users.

Can it be controlled like Authentication - like give responsibility external

Answer 1

The module mod_mqtt provides two options for access control: access_subscribe and access_publish. The former can be used to restrict access for subscribers and the latter can be used to restrict access for publishers. Both accept mapping filter: rule where filter is an MQTT topic filter and rule is the standard ejabberd access rule.

As an example, let's say [email protected] is only able to publish to topic "/foo/bar/" and its subtopics, while [email protected] is only able to subscribe to this topic and its subtopics. The configuration will look something like this:

acl:
  ...
  publisher:
    user:
      "user1" : "domain.tld"
  subscriber:
    user:
      "user2" : "domain.tld"

modules:
  ...
  mod_mqtt:
    access_publish:
      "/foo/bar/#":
        - allow: publisher
        - deny
      "#":
        - deny
    access_subscribe:
      "/foo/bar/#":
        - allow: subscriber
        - deny
      "#":
        - deny