Setting up and Configuring ACL in Mosquitto MQTT Broker

MQTT is a widely used communication protocol in the IoT domain. The Mosquitto MQTT broker is an open-source broker that can be installed on a variety of platforms including Windows, Linux, and macOS. Mosquitto MQTT broker provides the ability to secure the MQTT communication by implementing access control lists (ACL).

Access control lists allow the broker to restrict access to resources based on the identity of the client, the topic, and the type of action. This means that the broker can control who can access what data and what actions they can perform on that data.

In this blog post, we will be discussing how to set up and configure ACL in the Mosquitto MQTT broker on a Windows machine. We will also provide an example of an ACL file and its description.

Step 1: Installing Mosquitto MQTT Broker

Before we can configure ACL in the Mosquitto MQTT broker, we need to install it on our Windows machine. To do this, we can follow the steps below:

1. Download the Mosquitto MQTT broker from the official website: https://mosquitto.org/download/.

2. Run the downloaded executable file and follow the installation wizard.

3. Once the installation is complete, Mosquitto MQTT broker will be installed and running as a Windows service.

Step 2: Configuring Mosquitto MQTT Broker for ACL

To configure Mosquitto MQTT broker for ACL, we need to modify the configuration file. The configuration file can be found in the installation directory of Mosquitto MQTT broker. By default, the configuration file is named mosquitto.conf.

1. Open the mosquitto.conf file using a text editor.

2. Add the following lines to the end of the file:

   acl_file C:\\\\mosquitto\\\\aclfile.acl
   password_file C:\\\\mosquitto\\\\passwordfile.txt

   This tells Mosquitto MQTT broker to use the ACL file located at C:\\\\mosquitto\\\\aclfile.acl and the password file located at C:\\\\mosquitto\\\\passwordfile.txt.

   Note: The location of the files can be changed based on your needs.

3. Save the mosquitto.conf file and exit the text editor.

Step 3: Creating the ACL File

Now that we have configured Mosquitto MQTT broker to use an ACL file, we need to create one. The ACL file contains the rules that dictate who can access what data and what actions they can perform on that data.

Here is an example of an ACL file:

# Allow anonymous clients to subscribe to public topics
topic read public/#

# Allow authenticated clients to publish to public topics
topic write public/#

# Allow authenticated clients to subscribe to their own topics
pattern readwrite %u/#

The above ACL file allows anonymous clients to subscribe to topics that start with public/, authenticated clients to publish to topics that start with public/, and authenticated clients to subscribe to their own topics. %u is a placeholder that is replaced with the username of the client.

Step 4: Creating the Password File

The Mosquitto MQTT broker requires a password file to authenticate clients. The password file contains the usernames and passwords of the clients that are allowed to connect to the broker.

Here is an example of a password file:

user1:$6$rounds=100000$Xs1cOZIzTWZwv7p$3r3Kj7kT0PZ/9fVW0X9zBbHjK1DwB1NkMh0F0NUN2kKj5m5NEKv5f+jZl2Ql5iWJug8kATdK6yBuJHm5U4dXjw==
user2:$6$rounds=100000$S2QwR0o0nMkN1B4u$XQJF7nKjDZf1McVrGq3wv7VknzjKcY7VdA9hfzv7xhu1akDzCZjWJ8/NwvMgMk2QjKkSiPys9JvFVz1ZDmLpVg==

In the above password file, the usernames are user1 and user2, and their passwords are encrypted using the bcrypt algorithm. The passwords can be generated using the mosquitto_passwd utility that comes with the Mosquitto MQTT broker.

Step 5: Testing the Mosquitto MQTT Broker with ACL

To test the Mosquitto MQTT broker with ACL, we can use an MQTT client such as mosquitto_pub and mosquitto_sub.

1. Open two command prompt windows.

2. In the first window, run the following command to subscribe to the public/test topic:

   mosquitto_sub -h localhost -t public/test -u user1 -P password1

   Replace user1 and password1 with the appropriate username and password from the password file.

3. In the second window, run the following command to publish a message to the public/test topic:

   mosquitto_pub -h localhost -t public/test -u user2 -P password2 -m "Hello, world!"

   Replace user2 and password2 with the appropriate username and password from the password file.

   If everything is configured correctly, the first window should receive the message "Hello, world!".

Conclusion

In this blog post, we discussed how to set up and configure ACL in the Mosquitto MQTT broker on a Windows machine. We also provided an example of an ACL file and its description. By implementing ACL, we can secure the MQTT communication and control who can access what data and what actions they can perform on that data.