eclipse
[dynsec] Problems with authorizing clients authenticated by certificate
I believe this is a bug, because it leads to inconsistent behavior for authN using username/password and certificate.
I need Mosquitto to allow connections for some clients with valid certificates. In order to implement this I configure mosquitto to require certificate and use dynamic-security plugin to configure ACLs. In dynamic-security I create clients only for the certificate CNs I want to allow, and grant only permissions they should have. Sometimes I need to disable clients.
According to documentation deleting or disabling client should disconnect currently connected clients and forbid future connections.
There are following problems:
- When the client does not exist, the connection can still be established. No permissions are granted though: any attempt to subscribe or publish is denied.
- When client exists and is disabled, it can perform any granted operations.
I tested such functionality for username/password authN and it works fine - when the client does not exist or is disabled, the connection cannot be established.
mosquitto.conf
listener 8883
require_certificate true
use_identity_as_username true
cafile /mosquitto/certs/ca.crt
keyfile /mosquitto/certs/server.key
certfile /mosquitto/certs/server.crt
plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /tmp/dynamic-security.json
log_type all
