MQTT Client Authorization for individual topics not working for Subscribe

[jsticha]

If I want an AMQP client to only be able to subscribe to a topic temperature, I have to put the according keycloak user in a group called recv_temperature.

For a MQTT client to subcribe to any topic in EnMasse, I need to grant the following rights (by defining corresponding keycloak groups):

• Subscribe
  • $mqtt.to.\<client-id>.control
  • $mqtt.to.\<client-id>.publish
• Publish
  • $subctrl

However with these rights granted, there is no access control to individual topics (e.g. temperature) taking place. Setting up additional keycloak groups like in the AMQP case doesn't have any effects.

It is therefore not possible to allow/restrict access to individual topics.

[rgodfrey]

Yes - this is a known defect :-( We'll be doing an in-depth review/update of the MQTT implementation very shortly to address issues like this as well as making the representation of MQTT connections/subscriptions clearer through the console.