HiveMQ Sparkplug Security

Eric_White · January 14, 2025, 11:40pm

Hi Everyone, I’m trying to connect MQTT Transmission to HiveMQ with topic security and finding some issues, so any support would be much appreciated. It seems security is done using a file based extension called RBAC or a database connection using the ESE extension. For initial setup and testing, I'm trying to use RBAC.

My environment is MQTT Transmission, HiveMQ Broker, and MQTT Engine.
Using RBAC, I have a user called engine1 which has full read/write capabilities on all topics (admin role on the rbac file below).
I have another user called tx1 which has access to any topics that start with spBv1.0 (tx1 role on the rbac file below). This would include the spBv1.0/STATE, and spBv1.0/GroupID/EdgeID/DeviceID topics utilized in Sparkplug.

Everything works as expected when both Engine and Transmission are connected using the admin role. Transmission fails when using the tx1 role. Ignition logs are saying the MQTT Transmitter claiming it cannot connect to STATE/PrimaryHostID.

Using MQTT Explorer, I can read/write to the spBv1.0/STATE, and spBv1.0/GroupID/EdgeID/DeviceID topics with the tx1 user.

Once this hurdle is crossed, I do want to create further restrictions on tx1 to say spBv1.0/STATE and spBv1.0/GroupID/#

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<file-rbac>
    <users>
        <user>
            <name>engine1</name>
            <password>pass</password>
            <roles>
                <id>admin</id>
            </roles>
        </user>
        <user>
            <name>tx1</name>
            <password>pass</password>
            <roles>
                <id>tx1</id>
            </roles>
        </user>
    </users>
    <roles>
        <role>
            <id>admin</id>
            <permissions>
                <permission>
                    <topic>#</topic>
                </permission>
            </permissions>
        </role>
        <role>
            <id>tx1</id>
            <permissions>
                <permission>
                    <topic>spBv1.0/#</topic>
                </permission>
            </permissions>
        </role>
    </roles>
</file-rbac>

michael.flagler · January 15, 2025, 12:15am

As your error message state, you also need to give access to the legacy STATE/PrimaryHostID topic in addition to spBv1.0/# since they connect to both to support both the legacy state topic and the new state topic.

Edit: Here's an example of some ACL rules I use on the systems I've set up:

Edge (MQTT Transmission):

Allow Sub: STATE/<ProjectName>
Allow Sub: spBv1.0/STATE/<ProjectName>
Allow Pub/Sub: spBv1.0/<UnitName>/#
Default Deny

Standard (MQTT Engine):

Allow Pub/Sub: STATE/<ProjectName>
Allow Pub/Sub: spBv1.0/#
Default Deny

Eric_White · January 15, 2025, 1:36am

Aha!,Yes your correct
I needed the legacy STATE/# included also... I was watching comms on MQTT Explorer and no one ever publishes to that topic so it doesn't appear in the list, and when reading the error I thought it was just not included the spBv1.0 part out as it was implied. It is included in Cirrus Links documentation and I remember reading the particular page.. just not that specific item though!
Thank You