Mosquitto-auth-plugin ACL for subscription

Question

I am currently using the mosquitto broker to see if I can build something interesting with it and I came across this plugin for authentication called mosquitto-auth-plugin.

I followed the documentation of the plugin and I am using postgres as the back-end table. It seems to be working with respect to user authentication. When it comes to ACL I find the publish ACL is on spot but the subscription ACL is something I am not able to wrap my mind around.

 |-- GETTING USERS: karthik 1546887525: |-- getuser(karthik) AUTHENTICATED=1 by postgres 1546887525: New client connected from 127.0.0.1 as karthik (c1, k60, u'karthik'). 1546887525: No will message specified. 1546887525: Sending CONNACK to karthik (0, 0) 1546887525: Received SUBSCRIBE from karthik 1546887525: test/test (QoS 0) 1546887525: |-- mosquitto_auth_acl_check(..., client id not available, karthik, test/test, MOSQ_ACL_WRITE) 1546887525: |-- SUPERUSER: karthik 1546887525: |-- user is 0 1546887525: |-- USERNAME: karthik, TOPIC: test/test, acc: 4 1546887525: |-- aclcheck(karthik, test/test, 4) AUTHORIZED=0 by none 1546887525: Sending SUBACK to karthik

As you can see my doubt is what the '4' in 'acc:4' signify? I did not find that in the documentation of the plugin. If I create another username entry in the database with the read/write access set to 4 (in addition to the read/write access initially set), I find the ACL for subscription works properly and checks for an authentication.

I am wondering if I should make changes to the mosquitto configuration to resolve this issue? I suppose I am missing out on a simple yet key detail... any assistance is appreciated! Also, I've attached the config file

 auth_plugin /home/auth-plug.so auth_opt_backends postgres auth_opt_host localhost auth_opt_port 5432 auth_opt_dbname test_db auth_opt_user postgres auth_opt_pass lolol auth_opt_userquery SELECT password FROM clients WHERE username = $1 limit 1 auth_opt_superquery SELECT COALESCE(COUNT(*),0) FROM clients WHERE username = $1 AND super = 1 auth_opt_aclquery SELECT topic FROM mqttacl WHERE (username = $1) AND (rw & $2) > 0

Answer 1

Solved the issue. In the new mosquitto 1.5 release the MOSQ_ACL_SUBSCRIBE is an additional enhancement that has been introduced and an additional bit has been introduced in the ACL check. The value now varies from 0 to 7 (because of 3 bits) instead of 0-3 (owing to 2 bits).

So now the read/write value on your ACL table in the database must vary from 0 to 7.

1. 0: no access
2. 1: read
3. 2: write
4. 3: read and write
5. 4: subscribe
6. 5: read & subscribe
7. 6: write & subscribe
8. 7: read, write and subscribe

Hope it helps for people who are facing the same issue as I was :D!