Role Configuration with RBAC Extension

I’m using HiveMQ Professional 4.7.3 and I’m trying to use the File RBAC (HiveMQ Extension - File RBAC) extension to require username/password authentication and to limit users to specific topics. When I configured the credentials.xml file to limit a certain role to certain topics, my client receives no data. If I use just “#” as the topic then my client receives all the data. Does the topic name in the credentials.xml file need to include “spBv1.0/” at the beginning. I think I’m just missing something in the topic name, but I’ve tried a couple of different ways.

Also, with this extension installed, but config.xml still configured to allow anonymous connections, I can’t establish an anonymous connection. Is that the expected behavior?

Hi @larry.jones,

that I’m able to help can you please share:

  • the credentials.xml of the RBAC extensions (remove passwords)
  • what topics you are using

Does the topic name in the credentials.xml file need to include “spBv1.0/” at the beginning.

To answer your question, let’s say your roles has “abc/${{clientid}}” as topic in the permission, then a client with let’s says id “sepp” can only subscribe/publish to “abc/sepp”.

So if your topics have “spBv1.0/” as prefix then you need this also in the topic in the permission “spBv1.0/${{clientid}}” for example.

Also, with this extension installed, but config.xml still configured to allow anonymous connections, I can’t establish an anonymous connection. Is that the expected behavior?

Not sure what you mean with that, there is no config in config.xml that does this. Please elaborate.

Greetings,
Michael from the HiveMQ team

I should have been clearer in my original message. I’m publishing data from Ignition, using the Cirrus Link MQTT Transmission module. My group, edge, and device values are “SUWA”, “Manufacturing”, and “MES”. When I entered “SUWA/Manufacturing/MES/” in line 56, my subscriber received no data. The subscriber only receives data when I use a single wildcard. I tried “spBv1.0/SUWA/Manufacturing/MES/” thinking maybe I need to include the namespace as part of the topic, but the subscriber still received no data.

Here’s the section of the config.xml file that I though allowed anonymous connections:

true

I noticed that even with the value set to “true”, after restarting the HiveMQ service the File RBAC configuration was enforced. I thought I would be able to leave the value “true” and subscribers would still be able to establish connections with no username/password while I worked on the configuration of the RBAC files.

I can’t add the credentials.xml file. It’s not an accepted file type. Please advise.

Thank you,

Larry

You can post the context as code, like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<file-rbac>
    <users>
        <user>
            <name>admin-user</name>
            <!-- password hash for "admin-password" -->
            <password>Vjc1a0lxQ3Nvb0ljNFVHNE9WRnM3RG1IZmdNUFcwVGY=:100:PL2FLqfpdhONG7qXjAMmdVn4wlMiXnypdXiFW09zqorFhKgoiixFQw2EVJJfE9Zn79q45V7Xpc6JeKLp0ntmYA==</password>
            <roles>
                <id>superuser</id>
            </roles>
        </user>
    </users>
    <roles>
        <role>
            <id>superuser</id>
            <permissions>
                <permission>
                    <!-- Allow everything -->
                    <topic>#</topic>
                </permission>
            </permissions>
        </role>
    </roles>
</file-rbac>

Bildschirm­foto 2023-04-24 um 14.31.33

My testing was done with the username MQTTCollector.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<file-rbac>
    <users>
        <user>
            <name>user1</name>
            <!--- password hash for "pass1" -->
            <password>removed</password>
            <roles>
                <id>role1</id>
            </roles>
        </user>
        <user>
            <name>MQTTCollector</name>
            <!-- password hash -->
            <password>removed</password>
            <roles>
                <id>mesuser</id>
            </roles>
        </user>
    </users>
    <roles>
        <role>
            <id>role1</id>
            <permissions>
                <permission>
                    <!-- PUBLISH and SUBSCRIBE to all topics below "data/<clientid>/" -->
                    <topic>data/${{clientid}}/#</topic>
                </permission>
                <permission>
                    <!-- PUBLISH to topic "outgoing/<clientid>", retained only-->
                    <topic>outgoing/${{clientid}}</topic>
                    <activity>PUBLISH</activity>
                    <retain>RETAINED</retain>
                </permission>
                <permission>
                    <!-- SUBSCRIBE to topic "incoming/<clientid>"-->
                    <topic>incoming/${{username}}/actions</topic>
                    <activity>SUBSCRIBE</activity>
                </permission>
            </permissions>
        </role>
        <role>
            <id>superuser</id>
            <permissions>
                <permission>
                    <!-- Allow everything -->
                    <topic>#</topic>
                </permission>
            </permissions>
        </role>
        <role>
            <id>mesuser</id>
            <permissions>
                <permission>
                    <!-- Allow everything on specified topic -->
                    <topic>#</topic>
                </permission>
                <permission>
                    <!-- Allow everything on specified topic -->
                    <topic>spBv1.0/SUWA/#</topic>
                </permission>
            </permissions>
        </role>
    </roles>
</file-rbac>

Please give me a XML file that represents the state where you couldn’t see message going to your subscriber. The posted example contains # for “mesuser” which I assume is not correct.

And also you didn’t give me the topics that your device is publishing on, I don’t expect “SUWA/Manufacturing/MES” is the whole topic? If we are it let me know to what topic filter you subscriber subscribes to. Additionally I need the role that publisher and subscriber device are using.

What I need:
My device publishes to topics: , my devices gets the role:
My subscriber subscribed to topic filter: , my subscriber gets the role:

Greetings,
Michael

In my Ignition transmitter configuration I have the following values for my Sparkplug settings:
Group ID: SUWA
Edge Node ID: Manufacturing
Device ID: MES

I thought that meant the topic name I’m publishing to would be “SUWA/Manufacturing/MES”.

From Ignition, I’m connecting with the username “ignition” which is assigned role “ignitionxmitter”. From test client MQTT Explorer, I’m connecting with username “MQTTCollector” which is assigned role “mesuser”. Here is the credentials.xml file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> user1 removed role1 MQTTCollector removed mesuser ignition removed ignitionxmitter role1 data/${{clientid}}/# outgoing/${{clientid}} PUBLISH RETAINED incoming/${{username}}/actions SUBSCRIBE superuser # mesuser spBv1.0/SUWA/Manufacturing/MES spBv1.0/VILL/Manufacturing/MES ignitionxmitter #

The role “mesuser” is allowed to do everything on topic “spBv1.0/SUWA/Manufacturing/MES”, but MQTT Explorer just connects and doesn’t show any data. I tried topics “SUWA/Manufacturing/MES” and “spBv1.0/SUWA/DDATA/Manufacturing/MES” and got the same results.

Thank you.

If I change the topic for “mesuser” to “#”, MQTT Explorer looks like this:

Thank you.

@larry.jones I have the same scenario and is not working for me. how did you resolve the topic filtering?

@Murad I don’t know that I ever resolved that issue. We’re no longer using the RBAC extension and we’re using the ESE extension.

Hi @Murad

Post your credentials.xml content as explained here: Role Configuration with RBAC Extension - #6 by michael_w

Regards,
Dasha from HiveMQ Team

Thanks @Daria_H … here is an example of my file and what I see in MQTT explorer for each user

<users>
    <user>
    <name>admin</name>

        <password>........</password
        <roles>
            <id>superuser</id>
        </roles>
    </user>
      <user>
        <name>assembly</name>
        <password>..........</password>
        <roles>
            <id>role1</id>
        </roles>
    </user>
</users>
<roles>
    <role>
        <id>role1</id>
        <permissions>
            <permission>
                <!-- SUBSCRIBE to any topic in Assembly-->
               <topic>m/kmx/121/assembly/#</topic>
                <activity>SUBSCRIBE</activity>
            </permission>
        </permissions>
    </role>
    <role>
        <id>superuser</id>
        <permissions>
            <permission>
                <!-- Allow everything -->
                <topic>#</topic>
            </permission>
        </permissions>
    </role>
</roles>

Hello @Murad,

Thank you for reaching out to us.

It seems there may have been an issue with your message. Unfortunately, the image you provided didn’t load properly.

Could you please try sending your message again? We’re here to assist you, and resolving any issues you may have is important to us.

Looking forward to hearing from you soon.

Best regards,
Dasha from HiveMQ Team

sorry, I’ve fixed the previous message for the content of the credintial.xml file. and below is the output for both users @Daria_H