moquette users have privilege different than what is written in the access control list

Question

I am using moquette as my MQTT broker.

I specify an access control file in my config as this:

acl_file acl.conf

and then in the acl.conf file, I added just one user as this:

user gravity
topic read in
topic write out

My problem

The user gravity is not able to write to the out topic, I am getting error message which is: topic {out} doesn't have write credentials

Also, the user gravity can subscribe to all the topics, not just in

Plus, I have another user, which is william, and william can subscribe to any topic, but can't publish on any topic. I don't know how it is possible that william can subscribe to any topic though the acl file states that I have just one user that has privilege listed

Note

I am adding a tag for mosquitto though I am working on moquette, and that is because they share the same acl format

Update

After readying the code of the broker,

I found that this is the function that is being called when a new subscription request comes:

@MQTTMessage(message = SubscribeMessage.class)
    void processSubscribe(ServerChannel session, SubscribeMessage msg) {
        String clientID = (String) session
                .getAttribute(NettyChannel.ATTR_KEY_CLIENTID);
        boolean cleanSession = (Boolean) session
                .getAttribute(NettyChannel.ATTR_KEY_CLEANSESSION);
        LOG.debug("SUBSCRIBE client <{}> packetID {}", clientID,
                msg.getMessageID());

        // ack the client
        SubAckMessage ackMessage = new SubAckMessage();
        ackMessage.setMessageID(msg.getMessageID());

        for (SubscribeMessage.Couple req : msg.subscriptions()) {
            AbstractMessage.QOSType qos = AbstractMessage.QOSType.values()[req
                    .getQos()];
            Subscription newSubscription = new Subscription(clientID,
                    req.getTopicFilter(), qos, cleanSession);
            boolean valid = subscribeSingleTopic(newSubscription,
                    req.getTopicFilter());
            ackMessage.addType(valid ? qos : AbstractMessage.QOSType.FAILURE);
        }

And I think that is the function that has a bug, because I can't see any call for IAuthorizator canRead function

I even tried to build my own plugin for authentication, and I have the exam same problem, which is authorization on publishing is working, but on subscribing it is not

Answer 1

probably you don't refer the right acl file, if it's in conf subdirectory remember the path has to be acl_file conf/acl.conf.

Regarding the read access, Moquette doesn't check the right on the subscription act, simply avoid to publish the mussages, but the deny is silent.

Andrea