Mosquitto ACL

Many message brokers allow the configuration of Access Control Lists (ACLs) to restrict client interactions to certain topics. The following chapter shows this configuration using the Mosquitto Message Broker as an example. The procedure for granting access rights described here differs from that of the TcMqttPlugin. This specifies which other ADS devices have access to an ADS device. With the (Mosquitto) ACL it is exactly the other way around, because here it is specified for an ADS device which other ADS devices it is allowed to access.

Overview

The Mosquitto Message Broker allows the configuration of an Access Control List, which is defined as a separate configuration file and referenced in the main configuration of the broker. This configuration entry is shown below as an example:

acl_file C:\Program Files\mosquitto\mosquitto.acl

You can also find a complete configuration file in our samples for download.

In the ACL file, you can define authorizations for publishing and subscribing to certain topics and specify them separately for each user. The access rights for a user are always introduced by the following line:

user <username>

Subsequently the reading and writing rights are defined according to the following scheme:

topic [read|write|readwrite] <topicName>

Configuration for ADS-over-MQTT

For ADS-over-MQTT, two things must be ensured according to the communication flow: access of all ADS devices to the discovery topics and sending/receiving via the communication topics.
The ADS device must always have read/write access to its own topic. The device receives read rights for the discovery topic of other ADS devices.
To exchange ADS messages, an ADS device must have read/write access to the communication topic of the devices. The ADS device is identified by its own identity on the message broker. This identity can, for example, originate from a PSK or correspond to the CommonName (CN) of a client certificate. The following configuration illustrates these relationships.

user <identity>
topic readwrite <VirtualAmsNetworkName>/<OwnAmsNetId>/#
topic read <VirtualAmsNetworkName>/+/info
topic readwrite <VirtualAmsNetworkName>/+/ams/#

If an ADS device is to be denied access to another device, it must be ensured that there are no write permissions for the topic with the target AmsNetId.

The familiar TcMqttPlugin option that an ADS device may register only one AmsNetId is also possible with the Mosquitto ACL. To do this, the entry <OwnAmsNetId> must be replaced by precisely one foreseen AmsNetId. If it is to be possible for the ADS device to register with an arbitrary AmsNetId, then the wildcard (#) has to be set for <OwnAmsNetId>.

The following is an example of the access rights entries for communication between two ADS devices:

user EngineeringStation
topic readwrite VirtualAmsNetwork1/18.153.78.19.1.1/#
topic read VirtualAmsNetwork1/+/info
topic readwrite VirtualAmsNetwork1/+/ams/#
user CX-12345
topic readwrite VirtualAmsNetwork1/3.120.15.8.1.1/#
topic read VirtualAmsNetwork1/+/info
topic readwrite VirtualAmsNetwork1/+/ams/#