1

I am using RabbitMQ MQTT and I would like only to allow one user to publish to topics, and all other users to only subscribe. I understand that running rabbitmqctl set_permissions -p 'vhost' 'username' '.*' '.*' '.*' will give the user permission to do anything on the vhost. How do I use the rabbitmqctl set_permissions to allow the user to only subscribe to MQTT topics?

Xavier Mukodi
  • 166
  • 1
  • 10

1 Answers1

1

The rabbitmqctl set_permissions structure is:

rabbitmqctl set_permissions [-p <vhostpath>] <user> <configure> <write> <read>

So following your request, you would use the set_permissions command with blank regular expressions for configure and write permissions and .* for read permissions, like:

rabbitmqctl set_permissions -p your_vhost your_user "" "" ".*"

UPD: Subscribing to a topic results in the MQTT plugin creating a queue and a binding, which requires configure and write permissions in that case, so you can limit access to certain queues and exchange patterns kinda like this:

rabbitmqctl set_permissions -p your_vhost your_user "^mqtt-subscription-.*$" "^mqtt-subscription-.*$" ".*"

allowing the user to configure and write only to the specific queues that the MQTT plugin would create and read from all queues

Yahor Barkouski
  • 1,361
  • 1
  • 5
  • 21
  • With those permissions the client is failing to subscribe to any topic. I am seeing this error in the RabbitMQ log `MQTT resource access refused: configure access to queue 'mqtt-subscription-client-idqos0' in vhost '/' refused for user 'consumer'`. Seems like the configure permission is required for subscription. Even the write permission to some extent, because if I set both configure and read to `.*`, the subscription fails with the error `Failed to add binding between exchange 'amq.topic' in vhost '/' and queue 'mqtt-subscription-client-idqos0'` – Xavier Mukodi Jun 11 '23 at 12:28
  • 1
    I bet subscribing to a topic results in the MQTT plugin creating a queue and a binding, which requires configure and write permissions in that case, so you can limit access to certain queue and exchange patterns kinda like this: `rabbitmqctl set_permissions -p your_vhost your_user "^mqtt-subscription-.*$" "^mqtt-subscription-.*$" ".*"` allowing the user to configure and write only to the specific queues that the MQTT plugin would create and read from all queues – Yahor Barkouski Jun 11 '23 at 13:10
  • That works thank you. Please edit your answer so that I can mark it as the accepted one. – Xavier Mukodi Jun 11 '23 at 15:42
  • I'm glad it helped! Just edited it, thank you for the reminder! @XavierMukodi – Yahor Barkouski Jun 11 '23 at 16:31