search

thingsboard / tbmq

Open-source, scalable, and fault-tolerant MQTT broker able to handle 4M+ concurrent client connections, supporting at least 3M messages per second throughput per single cluster node with low latency delivery. The cluster mode supports more than 100M concurrently connected clients.
https://thingsboard.io/products/mqtt-broker/
Apache License 2.0
594 stars 49 forks source link

[Question] Unable to modify or delete default user "TBMQ WebSockets MQTT Credentials" #171

Closed jaimeAnukys closed 1 month ago

jaimeAnukys commented 1 month ago

Component

Description I am having an issue with a default user created in TBMQ called "TBMQ WebSockets MQTT Credentials". The main problem is that I cannot modify or delete this user. This poses a security risk because it seems to be used not only internally but also allows connection to the broker via MQTT and MQTT over WebSockets.

The security issue arises because anyone with the default credentials can connect to the broker and publish or subscribe to any topic. I have tried to modify these credentials, but when I attempt to do so, I receive an error saying that this user cannot be changed.

I believe it should be possible to modify or delete this default user to prevent unauthorized access and secure the broker properly.

I am attaching an image for further clarification.

tbmq

Environment

dmytro-landiak commented 1 month ago

hey @jaimeAnukys!

Thank you for your question. I agree with your suggestions, and we will enable the ability to edit these client credentials. However, we will still restrict deletion to retain them as the system's default credentials for WebSocket client usage.