Description
Main question:
Is it possible to authorize only devices from the "Associated client devices" list from the Core device?
Actual
The situation is the following: we have an Auth component with a configuration with wildcard for thing names and allow all actions for all resources.
{
"deviceGroups": {
"formatVersion": "2021-03-05",
"definitions": {
"AllPermissiveDeviceGroup": {
"selectionRule": "thingName: *",
"policyName": "AllPermissivePolicy"
}
},
"policies": {
"AllPermissivePolicy": {
"AllowAll": {
"statementDescription": "Allow client devices to perform all actions.",
"operations": [
"*"
],
"resources": [
"*"
]
}
}
}
}
}
And our actual behavior where all devices can access resource, in our case MQTT (using EMQX), using the Auth CA, Core device's instance hostname etc. We do not use Discovery API to get a Connectivity info, so we pass the CA cert and hostname in a third way.
And we send messages from devices to some topic that is specified in the Bridge config.
The result is that any device that has the CA cert is able to send a message, even if it is not associated with the Core device.
Expected
Expected behavior was that unassociated devices wouldn't be able to connect through this Core Device and send any messages to the cloud. Without adding specific name patterns to the Auth configuration.
Is it only possible by using the Discovery API on the client side, or by specifying a thing name or a thing group name?
Actually I didn't find clear information about this, so it's more a question than a defect.
Found that it works in connection with the Discovery API, and for storing client credentials. Just wanted to know if this is possible to achieve this without using the Discovery API.