Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/add deny option for acl #1611

Open
wants to merge 5 commits into
base: develop
from

Conversation

@BrandtHill
Copy link

BrandtHill commented Feb 25, 2020

This features adds an option to the acl_file to allow a user to be explicitly denied access to a topic that might otherwise be granted from a broader topic.
For example in an acl file:

user bob
topic readwrite api/#
topic deny api/sensitive/#

The user bob would be granted read/write access to all topics matching api/# with the exception of topics matching api/sensitive/#.
This allows us to configure mosquitto (no extra plugins) more easily without the need for extensive whitelists like this:

user bob
topic readwrite api/fun/#
topic readwrite api/stuff/#
topic readwrite api/hello/#
topic readwrite api/so/#
topic readwrite api/many/#
topic readwrite api/topics/#
...

Because tests aren't passing on develop branch currently, I also made these changes off master to test.

I hope the purpose of these changes was made clear.

Brandt


  • If you are contributing a new feature, is your work based off the develop branch?
  • If you are contributing a bugfix, is your work based off the fixes branch?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you successfully run make test with your changes locally?
  • Have you signed the Eclipse Contributor Agreement, using the same email address as you used in your commits?
  • Do each of your commits have a "Signed-off-by" line, with the correct email address? Use "git commit -s" to generate this line for you.

BrandtHill added 5 commits Feb 24, 2020
…ain topics to be explicitly denied when they might otherwise be allowed through a more open read/write/readwrite option. Example: 'topic readwrite test/#' and 'topic deny test/hello/#' may be added so that a user can read/write to all test/# topics, except for test/hello/#.

Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
…d at C).

Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant
You can’t perform that action at this time.