What's the current state of user level access control?

[josephduchesne]

Hi,
I've searched discussion, issues and blog posts and found some discussion about user level ACL (for example enabling read/write access on per-user specific paths).

I'm currently using MQTT for a system that has authentication where per-device topics exist:

for example a device schema like /devices/deviceType/deviceId/* might have:

• /devices/climate_sensor/123/settings/*: read only
• /devices/climate_sensor/123/data/*: write only

That way the device can subscribe to /devices/climate_sensor/123/settings/update_interval or /devices/climate_sensor/123/settings/warning_threshold, but not change its own settings, and it can publish /devices/climate_sensor/123/data/temperature and /devices/climate_sensor/123/data/humidity, but the client credentials wouldn't allow snooping on a device's data by subscribing to those topics if the key was dumped/stolen. Obviously for a temperature sensor this isn't a major concern, but you can imagine devices where this is more serious (door lock state for example). Similarly you don't want someone grabbing credentials from a hypothetical wifi temperature sensor and using it to unlock your front door, or turn your lights on at 3am. (My use case isn't this home automation example but it's easier to discuss a non-proprietary use case that shares the same core concerns).

All I've found in discussion around this issue is per-interface security, and references to tasks that have broken links to eclipse boards (it looks like the project migrated to github roadmaps and some links broke).

This relates to:

#67

https://zenoh.io/blog/2020-06-29-zenoh-tidings/ also mentions user level security but nothing specific.