MQTT Wildcard # usage on root topic with user limited topic permission

[MichaelUray]

RabbitMQ 3.11.13
Erlang 25.3

I did limit the MQTT topic permission for a user to the following topics:
Plants/City1/Hauptstrasse/151
Plants/City1/Hauptstrasse/152

The limitation gets done via the LDAP attribute postal address of the user.
The server configuration looks as followed:

 {topic_access_query,
            {for, [
                {permission, write, 
                    {'or', [
                        {in_group, "cn=administrator, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"},
                        {match, {string, "${routing_key}"}, {attribute, "${user_dn}", "postalAddress"}}
                    ]}
                },
                {permission, read, 
                    {'or', [
                        {in_group, "cn=administrator, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"},
                        {match, {string, "${routing_key}"}, {attribute, "${user_dn}", "postalAddress"}}
                    ]}
                }
            ]}
        }

The according user object has two attributes with postalAddress, which are set as followed:
Plants.City1.Hauptstrasse.151
Plants.City1.Hauptstrasse.152
Means, the user should only be able to acces these two topics.

If I subscribe with the wildcard to the two topics seperately, then it works fine,
Plants/City1/Hauptstrasse/151/#
Plants/City1/Hauptstrasse/152/#

but when I subscribe to the root wildcard, then it fails.
#

The log shows that the permission got denied to the root topic #

2023-08-19 13:12:33.398963+02:00 [info] <0.23453.17> accepting MQTT connection <0.23453.17> (172.18.0.8:42416 -> 172.18.0.14:1883, client id: mqttx_d94a9e4e)
2023-08-19 13:12:33.446006+02:00 [error] <0.23472.17> Channel error on connection <0.23459.17> (172.18.0.8:42416 -> 172.18.0.14:1883, vhost: '/', user: '[email protected]'), channel 1:
2023-08-19 13:12:33.446006+02:00 [error] <0.23472.17> operation queue.bind caused a channel exception access_refused: access to topic '#' in exchange 'amq.topic' in vhost '/' refused for user '[email protected]'
2023-08-19 13:12:33.446307+02:00 [error] <0.23453.17> MQTT protocol error on connection 172.18.0.8:42416 -> 172.18.0.14:1883: access_refused

I expected to get all the topics back to which the user has permission to when I place the # wildcard on the root, but it just denies the access.

Is this the desired behaviour?

[lukebakken]

but when I subscibe to the root wildcard, then it fails.

What is "then"?

Could you please provide a series of commands I can run to see what you are observing? Right now a lot of details are being left out.

[MichaelUray]

I did add some more information to my original post, as well as the log results when I try to subscribe to #.

Not sure what you mean with a series of commands, I just subscribe to the topics mentioned above with a MQTT client software like MQTT Explorer.

$\textcolor{green}{\textsf{Works:}}$

$\textcolor{red}{\textsf{Fails:}}$

[ansd]

Yes, this is desired behaviour.

Subscribing to topic # must fail if the user hasn't sufficient permissions to subscribe to all topics. RabbitMQ must not return "Success" for such a subscription and subsequently silently return only a subset of messages the user actually has permissions for.
Subscribing to topic # means that RabbitMQ creates a queue and binds it to the topic exchange receiving all messages published to the topic exchange. When binding the MQTT queue to the topic exchange, multiple access control checks take place. The user must have the following permissions:

• Writing to the queue
• Reading from the exchange
• Reading from the topics.

See https://www.rabbitmq.com/access-control.html#authorisation

Assigning permissions in RabbitMQ do not act automatically as an MQTT topic filter.