3

I am using the built-in security-plugin from Mosquitto to define access to my broker. So far I've set clients, roles and groups using mosquitto_ctrl <connection options> dynsec <command> ... commands. (see mosquitto)

The broker is running in a Docker container. However, I'd like to manage the dynamic security plugin from another Docker container, i.e. from outside. To be precise, I'd like to connect to the broker (e.g. with python paho) with the admin credentials and publish modifications to the security plugin.

I assume that this must be possible as in the documentation it is explicitly mentioned:

All control of the plugin after initial installation is through the MQTT topic API at $CONTROL/dynamic-security/v1. This allows integrations to be built, but isn't the best choice for people to use directly.

E.g for listing all clients I imagine using something like

mosquitto_pub -h localhost -p 1883 -t $CONTROL/dynamic-security/v1 -m "{"command":listClients}" -u "mqtt-admin" -P "pwd"

and

mosquitto_sub -h localhost -p 1883 -t $CONTROL/dynamic-security/v1 -u "mqtt-admin" -P "pwd"

Unfortunately, I couldn't get it working. Anybody knows how to use the plugin as an API?
Thanks!

P.S.: I've found some more hints using publish commands on the mosquitto github repo, saying the message should look like this: :

{
    "commands":[
        {
            "command": "listClients",
            "verbose": false,
            "count": -1, # -1 for all, or a positive integer for a limited count
            "offset": 0 # Where in the list to start
        }
    ]
}

Edit:
I was finally able to resolve it with the help of hardillb.

  1. subscribe like so:
mosquitto_sub -h localhost -p 1883 -t '$CONTROL/dynamic-security/v1/#' -u "mqtt-admin" -P "pwd"
  1. publish like so:
mosquitto_pub -h localhost -p 1883 -t '$CONTROL/dynamic-security/v1' -m '{"commands": [{"command": "listClients"}]}' -u "mqtt-admin" -P "pwd"

The list of clients will then be given on the subscription side.

lukkaz
  • 35
  • 6
  • Where are you running the `mosquitto_pub` commands? `localhost` will always point to the TCP/IP stack where the code is running and each docker container has it's own TCP/IP stack. – hardillb Jan 25 '22 at 20:38
  • `mosquitto_pub` (bash) and `localhost` would only be an example and simplest setup. Ultimately it shall be on a server with a public IP and instead of `mosquitto_pub` I will most likely use the mqtt python package _paho_. But what would be the topic and message in this case? – lukkaz Jan 25 '22 at 22:47
  • I know this doesn't answer your question directly, but have you seen the Cedalo Management Center sources? There you can find how JSON payloads sent to Mosquitto dynamic security module are arranged https://github.com/cedalo/management-center/blob/ad097638044c36a4a3c97575ba93cc137406862a/frontend/src/client/BaseMosquittoProxyClient.js#L278 – dschulz Apr 26 '22 at 19:48

1 Answers1

1

You need to put single quotes (not double quotes) round the topics as the shell will try to replace $CONTROL as an environment variable which is most likely empty

mosquitto_pub -h localhost -p 1883 -t '$CONTROL/dynamic-security/v1' -m "{"command":listClients}" -u "mqtt-admin" -P "pwd"
hardillb
  • 54,545
  • 11
  • 67
  • 105
  • 1
    Yes! Thanks! That was crucial. Additionally, the message also needs to be wrapped in single quotes: `'{"commands": [{"command": "listClients"}]}'` – lukkaz Jan 25 '22 at 23:45