ACL restriction based on clientids

HiveMQ Community Edition
1

Hello,

Can anyone kindly help me with ACL configuration of HiveMQ community/enterprise edition where we can restrict based on client IDs?

I tested few configurations using the file-rbac-extension, but it just supports defining users and roles and mapping the roles to those users.
There isn’t a way to map the roles to specific clientIDs, like for example, for clientIDs falling under the regex ^abc-client, I need to control the publish and subscribe - how can I do this?

2

Hi @alexchow,

I hope you’re doing well!

Here’s an example of mapping the current client ID to a permission topic that may help with your implementation:

GitHub - HiveMQ File RBAC Extension Example

Please let me know if this addresses your question and helps with your use case. I’m happy to assist further if needed!

Best regards,
Dasha from The HiveMQ Team

3

Hello @Daria_H,
Thank you for the prompt response.

I understand the configuration provided helps to get the connected clientID and use that in the topic restriction, which I have already done. But this doesn’t address my requirement/issue.

I have below set of permissions defined for a role,

        <id>test-role</id>
        <permissions>
            <permission>
                <!-- PUBLISH to pub/# -->
                <topic>pub/#</topic>
                <activity>PUBLISH</activity>
            </permission>
            <permission>
                <!-- SUBSCRIBE to sub/# -->
                <topic>sub/#</topic>
                <activity>SUBSCRIBE</activity>
            </permission>
        </permissions>
    </role>

Now, how can I map this role to only a set of clientIDs which falls under a regex pattern, say ^abc-client - meaning, only the clientIDs which starts with abc-client would get this permission/role, other clientIDs shouldn’t get this role/permission even if they use the same username/password.

4

Hi @alexchow

Thank you for your follow-up!

To restrict permissions based on specific client IDs, you can use the HiveMQ File RBAC Extension’s substitution feature. The special markers ${{clientid}} and ${{username}} in the topic filter for a permission are automatically replaced by the extension with the client identifier and username of the client for which authorization is performed: HiveMQ File RBAC Extension - Substitution.

If you have any further questions or need assistance, please don’t hesitate to reach out!

Best,
Dasha from The HiveMQ Team