Summary
is_internal_entity_topic in topic_rules.rs treats all $DB/_* topics as internal by default, which blocks non-admin users from publishing to $DB/_sub/subscribe. The mqdb subscribe CLI command uses this topic (crates/mqdb-cli/src/commands/crud.rs:337-346).
mqdb watch is unaffected — it uses $DB/{entity}/events/# which falls under the ReadOnly tier.
Observed behavior
A non-admin MQTT user publishing to $DB/_sub/subscribe gets denied with InternalEntityAccess.
Expected behavior
Needs a product decision: should $DB/_sub/subscribe be admin-only or user-callable? If user-callable, add _sub to the allowlist in is_internal_entity_topic. If admin-only, update the CLI and docs accordingly.
Files
crates/mqdb-agent/src/topic_rules.rs — is_internal_entity_topic allowlistcrates/mqdb-cli/src/commands/crud.rs — cmd_subscribe function
Summary
is_internal_entity_topicintopic_rules.rstreats all$DB/_*topics as internal by default, which blocks non-admin users from publishing to$DB/_sub/subscribe. Themqdb subscribeCLI command uses this topic (crates/mqdb-cli/src/commands/crud.rs:337-346).mqdb watchis unaffected — it uses$DB/{entity}/events/#which falls under theReadOnlytier.Observed behavior
A non-admin MQTT user publishing to
$DB/_sub/subscribegets denied withInternalEntityAccess.Expected behavior
Needs a product decision: should
$DB/_sub/subscribebe admin-only or user-callable? If user-callable, add_subto the allowlist inis_internal_entity_topic. If admin-only, update the CLI and docs accordingly.Files
crates/mqdb-agent/src/topic_rules.rs—is_internal_entity_topicallowlistcrates/mqdb-cli/src/commands/crud.rs—cmd_subscribefunction