Security on Topics

1

Hi Team,
We are evaluting a Hive MQ product for an IoT application.
Can you provide the feasiblity of the following requirement :

Assume the application receives millions messages from two clients.
Each client is having around 10 kinds of topics. For e.g:

  • ‘clients/client1/itdepart’
  • ‘clients/client1/hrdepart’
  • ‘clients/client2/itdepart’
  • ‘clients/client2/hrdepart’

Is there any feasibly or security, to provide the restriction for subscribing at topic level(client and department).

Even though, the user has subscribed for a department or client, which is not authorised, the messages should be deliver.

2

Hello @ViswanathDR

Thank you for contacting us. With the HiveMQ Enterprise Security Extension (ESE), you can effectively implement security on topics. This extension empowers to publish and subscribe to authorized topics, depending on the roles or permissions assigned to the client. For a comprehensive understanding of this extension, kindly refer to our documentation.

Even though, the user has subscribed for a department or client, which is not authorised, the messages should be deliver.

Could you please provide an example to clarify what you mean?

Kind regards,
Sheetal from HiveMQ Team

3

Hi Sheetal,
Thanks for the response.

The above sentence is wrongly formatted.

The question/problem is as follows:

I am having topics as below :
clients/client1/dept1
clients/client1/dept2
clients/client1/dept3
clients/client1/dept4

Is there any way to subscribe only for the topics “clients/client1/dept1” and “clients/client1/dept2” with only one user set crendtials??

Regards,
Viswanath

4

Hello @ViswanathDR,

We appreciate you providing the requested details. It is indeed possible to implement the functionality you described using both the File RBAC extension and the Enterprise Security extension. Below is an example using the RBAC extension:

<role>
    <id>role1</id>
    <permissions>
        <!-- PUBLISH and SUBSCRIBE to all topics listed below -->
        <topic>clients/${{clientid}}/dept1</topic>
        <topic>clients/${{clientid}}/dept2</topic>
    </permissions>
</role>

You can download the Opensource File RBAC extension here. For more comprehensive information, please refer to the documentation.

Using Enterprise security extension as well you have the option to set up permissions using the File realm and as well as SQL realm. In case you would like to use the SQL realm then you can access information about the database structure here. For File Realm, please check here for more details.

We hope this helps. Please don’t hesitate to contact us if you have any further questions.

Regards,
Sheetal from HiveMQ team

5

Hi Sheetal,
Thanks for the response.

Currently, I am using cloud managed Serverless(Free) license to evaluate HIVEMQ. Is the File RBAC option is avaliable in this free license??. If yes, can you suggest me where I have to configure this.

Also I am using https://console.hivemq.cloud/ to configure the topics, permissions and access credentails.

I am having thousands of users,permissions and topics. Is there any api or builk import to manage them, instead of entering each one of them through UI??

Regards,
Viswanath

6

Hello @ViswanathDR

Thank you for confirming that you are using the HiveMQ Cloud Free edition. Please be aware that with HiveMQ Cloud Free and Starter editions, certain features are not supported, such as using placeholders for client IDs in topics and assigning multiple permissions to a client. Also In order to use extensions(RBAC/ESE), you will need to migrate to the Cloud Enterprise editions.

If you would like to explore the benefits of our Cloud Enterprise edition in more detail, we encourage you to reach out to our experts at sales@hivemq.com. They will provide guidance to help you find the most suitable solution for your specific use case.

Regards,
Sheetal from HiveMQ Team

7

Thanks Sheetal for the details.