Logan
20 lines
939 B
Plaintext
20 lines
939 B
Plaintext
# -----------------------------------------------------------------------
|
|
# Mosquitto ACL — DRB C2 Server
|
|
# -----------------------------------------------------------------------
|
|
# Two principals:
|
|
# drb-c2-core — the backend service; needs full broker access
|
|
# drb-node — shared credential for all edge nodes; scoped to their
|
|
# own namespace via MQTT client ID (%c = NODE_ID)
|
|
# -----------------------------------------------------------------------
|
|
|
|
# C2-core service — full read/write on every topic
|
|
user drb-c2-core
|
|
topic readwrite #
|
|
|
|
# Edge nodes — each node may only read/write topics under nodes/<its-own-ID>/
|
|
# Mosquitto substitutes %c with the connecting client's MQTT client ID at
|
|
# runtime. Edge nodes set client_id = NODE_ID in mqtt_manager.py, so this
|
|
# cryptographically prevents node-A from publishing to nodes/node-B/api_key
|
|
# or any other node's namespace.
|
|
pattern readwrite nodes/%c/#
|