I’m using HiveMQ Professional 4.7.3 and I’m trying to use the File RBAC (HiveMQ Extension - File RBAC) extension to require username/password authentication and to limit users to specific topics. When I configured the credentials.xml file to limit a certain role to certain topics, my client receives no data. If I use just “#” as the topic then my client receives all the data. Does the topic name in the credentials.xml file need to include “spBv1.0/” at the beginning. I think I’m just missing something in the topic name, but I’ve tried a couple of different ways.
Also, with this extension installed, but config.xml still configured to allow anonymous connections, I can’t establish an anonymous connection. Is that the expected behavior?
the credentials.xml of the RBAC extensions (remove passwords)
what topics you are using
Does the topic name in the credentials.xml file need to include “spBv1.0/” at the beginning.
To answer your question, let’s say your roles has “abc/${{clientid}}” as topic in the permission, then a client with let’s says id “sepp” can only subscribe/publish to “abc/sepp”.
So if your topics have “spBv1.0/” as prefix then you need this also in the topic in the permission “spBv1.0/${{clientid}}” for example.
Also, with this extension installed, but config.xml still configured to allow anonymous connections, I can’t establish an anonymous connection. Is that the expected behavior?
Not sure what you mean with that, there is no config in config.xml that does this. Please elaborate.
I should have been clearer in my original message. I’m publishing data from Ignition, using the Cirrus Link MQTT Transmission module. My group, edge, and device values are “SUWA”, “Manufacturing”, and “MES”. When I entered “SUWA/Manufacturing/MES/” in line 56, my subscriber received no data. The subscriber only receives data when I use a single wildcard. I tried “spBv1.0/SUWA/Manufacturing/MES/” thinking maybe I need to include the namespace as part of the topic, but the subscriber still received no data.
Here’s the section of the config.xml file that I though allowed anonymous connections:
true
I noticed that even with the value set to “true”, after restarting the HiveMQ service the File RBAC configuration was enforced. I thought I would be able to leave the value “true” and subscribers would still be able to establish connections with no username/password while I worked on the configuration of the RBAC files.
I can’t add the credentials.xml file. It’s not an accepted file type. Please advise.
Please give me a XML file that represents the state where you couldn’t see message going to your subscriber. The posted example contains # for “mesuser” which I assume is not correct.
And also you didn’t give me the topics that your device is publishing on, I don’t expect “SUWA/Manufacturing/MES” is the whole topic? If we are it let me know to what topic filter you subscriber subscribes to. Additionally I need the role that publisher and subscriber device are using.
What I need:
My device publishes to topics: , my devices gets the role:
My subscriber subscribed to topic filter: , my subscriber gets the role:
In my Ignition transmitter configuration I have the following values for my Sparkplug settings:
Group ID: SUWA
Edge Node ID: Manufacturing
Device ID: MES
I thought that meant the topic name I’m publishing to would be “SUWA/Manufacturing/MES”.
From Ignition, I’m connecting with the username “ignition” which is assigned role “ignitionxmitter”. From test client MQTT Explorer, I’m connecting with username “MQTTCollector” which is assigned role “mesuser”. Here is the credentials.xml file:
The role “mesuser” is allowed to do everything on topic “spBv1.0/SUWA/Manufacturing/MES”, but MQTT Explorer just connects and doesn’t show any data. I tried topics “SUWA/Manufacturing/MES” and “spBv1.0/SUWA/DDATA/Manufacturing/MES” and got the same results.