Managing MQTT filters with MyQttHub to control what can be published

#1

1. Introduction to MyQtthub filters

With MyQttHub filters you can easily:

  • Control what can be PUBLISHed creating policies for allow-then-deny or deny-something-rest-allowed.
  • Use filtering to activate Stashing function to store matched messages into durable MyQttHub storage backend.

We are going to see how filters are configured by example. See next.

2. Creating an allow-then-deny MQTT filter with MyQtthub

In this case you want:

  • To create a filter that allows only certain topics.
  • Optionally allow these topics only to certain list of users
  • Then deny rest of topics PUBLISHed to all users (or optionall to some users).

  1. Go to filters clicking top menu:
    image

  2. …and then Filters:
    image

  3. Now click to add filter (top right):
    image

  4. Now input a label, select a high priority (higher than deny rule; 1 has higher priority than 100), select rule type (limit PUBLISH), leave rule enabled and configure topic filters that are going to be allowed:

    image
    image.png1144x639 27.1 KB

  5. Optionally, if you want to limit this rule to a set of clientId devices, input them by clicking to “ClientIds”:
    image

  6. Once you are done, click “Add filter rule”:
    image

If everything went ok, you should see know your “allow” rule. Now, repeat the process to add a lower priority rule that will deny rest of the traffic. Here is how.

  1. Click to add again, configure another label, set same rule type, lower priority, change “Permission/action” to Reject/deny and then add rule:

    image
    image.png745x636 23.2 KB

  2. Optionally, you configure this deny rule to be only applied to certain users.

After this configuration, PUBLISH messages with allowed/matching topic filter will have “Allow/Ok” action, that is, allow/accept this message right now and stop checking other rules.

Rest of messages not matching with previous rule will match with Deny/Reject rule because we have used “#” in our example. In such case, those messages will be discarded.

3. Creating a MQTT deny filter, then rest allowed with MyQttHub

By default, MyQttHub filter engine will accept/allow any message not matching any rule. So, to create a deny filter to limit certain topics to certain users, you only have to create a deny filter:

image
image.png757x648 26.2 KB

Then, rest of messages (PUBLISH) not matching this filter will be allowed.

4. Format supported for topic filter configuration

Topic filter configuration follows next rules:

  • Configure one topic filter per line
  • Use MQTT topic filter format (events/test/probe, events/+/+, events/#, #, +)
  • It is allowed to use the following wildcards that gets replaced by the connecting userName if used %u and clientId if %c is used.

Valid examples:

  • Matches all topics:
    #

  • Match all topics under events/:
    events/#

  • Match all topics with three levels, where first and third are sports and events, matching any configuration for the middle component:
    sports/+/events

  • Matches all topics starting with current publishing clientId/, like clientId/temp/value:
    %c/#

  • Matches all topics starting with current publishing clientId/ followed by userName:
    %c/%u/stage

  • Basic explicit topic selection:
    central/events/accounting

Note all these examples are just for matching the topic of the PUBLISH or SUBSCRIBE operation. Once matched, the action that applies will be defined by the rule.

Sending messages to specific MQTT devices
How to isolate a device in a topic related to its clientid?
MyQttHub and SparkPlug Spec
Sending messages to specific MQTT devices