Is it possible to have both anonymous and registered clients? Per the documentation, if I enable anonymous clients via allow_anonymous=on, then that completely disables the authentication mechanism.
But by looking at the sample acl file I was under the impression that I could have both and restrict access to some of the topics to only the registered ones.
Note that allow_anonymous=on only disables authentication in VerneMQ. That is, the provided ClientID/Username/Password will not be matched against any internal authentication store (plugin).
Allowing anonymous clients will not disable authorization. You cannot disable authorization in VerneMQ. If file based authorization (vmq_acl) is the authorization plugin you use, every publish and subscribe will go through it, for every client.
But without authentication the only thing a client must do to get access to topics registered to a particular user would be to send the correct username (any password would do) during connection.
I guess the behavior I was looking for was to apply allow_anonymous=on only to clients that do not send credentials, while still using your configured auth mechanism (i.e, vmq.passwd) for those that do.
This does not sound like it’s something you want to do from a security perspective.
Currently, there’s a new feature in the main branch (not yet part of a release), that allows to set allow_anonymous on a per listener basis (listener.tcp.my_listener.allow_anonymous_override=on). This will allow you to separate anonymous listeners from others. The only reason ever to do this in production is to give full authentication to SSL client certs, for a listener.
From a security perspective then, would an alternative to allow_anonymous=on be having a specific user with public credentials for topics that we don’t need/want to secure? This way we could keep the auth mechanism in place for the rest of the users.