HiveMQ Cloud: Understanding Caching Behavior for Roles and Permissions
Problem
When using HiveMQ Cloud, updates to roles and permissions may not take effect immediately for existing users due to caching. This article explains how this works, common symptoms, and best practices to avoid confusion during role and permission changes.
π Symptoms
You may observe the following when updating permissions for a user:
A client fails to publish/subscribe to a newly added topic
Role changes donβt seem to apply immediately
Web client disconnects after publishing to a new topic
Everything works as expected only when creating a new user
Β
π§ Root Cause
HiveMQ Cloud implements caching for role and permission mappings to optimize performance and scalability. When a role is updated or new topic permissions are added:
Existing users assigned to that role will not pick up changes immediately
New users created with the updated role will receive the latest permissions right away
This behavior is by design and is tracked on HiveMQ's product improvement roadmap.
Solution
1. Use New Users/Roles for Immediate Changes
When testing new topic permissions or updated roles, create a new access credential (username/password). The new user will pick up the latest role configuration instantly.
2. Test with MQTT CLI
Use the MQTT CLI to verify whether new permissions are active:
mqtt pub -i testid1 -h <your-cluster-url> -t <your-topic> -u <username> -pw <password> -p 8883 -s -d -q 2 -V 5 -m "Testing role update" Check whether the message is published successfully or the client is disconnected due to unauthorized access.