How to make Access Control Lists (ACL) work for Mosquitto MQTT Broker with Auth Plugin?If you planning to strengthening your MQTT service, then access control lists (ACL) are mandatory. Mosquitto broker supports this ACL feature through auth plugins.One versatile auth-plugin for mosquitto that you should consider using is https://github.com/jpmens/mosquitto-auth-plug. It is very flexible, in that it can support multiple backends as auth provider databases, ranging from CDB, Redis to MySQL and Http. However, getting it compiled and making it start to work is not that straight forward or easy. Hence, this post. It gives some starting point to our students who are venturing into Mosquitto Authentication systems to get started.Building the Mosquitto-Auth-PluginThe below steps help you for Ubuntu or its variants. Similar steps should get you going with CentOS or other variants if you replace the apt-get commands with their equivalents, such as yum etc.Install required helper and developer packages firstsudo apt-get install libc-ares-dev libcurl4-openssl-dev libmysqlclient-devGet Mosquitto source and build itGet source from: http://mosquitto.org/download/tar xvzf mosquitto-1.3.5.tar.gzcd mosquitto-1.3.5make mosquittosudo make installGet mosquitto-auth-plug source and create a suitable configuration filegit clone https://github.com/jpmens/mosquitto-auth-plug.gitcd mosquitto-auth-plugcp config.mk.in config.mkEdit the created config.mk file to suit your needsvi config.mkInstall the appropriate backend developer files (e.g. redis backend)git clone https://github.com/redis/hiredis.gitmake && make installInside the mosquitto-auth-plug directory use the make command to build the plugin and move it next tomosquitto.conf filemakemv auth-plug.so /etc/mosquitto/Edit the Mosquitto configuration filemv /etc/mosquitto/mosquitto.conf.example /etc/mosquitto/mosquitto.confvi /etc/mosquitto/mosquitto.confEditing the Mosquitto configuration for enabling Auth PluginInside your mosquitto.conf file you should indicate the auth-plugin options to let the mosquitto MQTT broker know that you are planning on using an auth-plugin and where it is located on the disk.Note: Mosquitto MQTT broker usually runs under the identify of an user named mosquitto. So, you should ensure the path toauth-plug.so is accessible to the mosquitto user. You can set permissions using chown and/or chmod commands.Edit the /etc/mosquitto/mosquitto.conf file to have its content look something like below (you should search for auth_plugin field in that file):auth_plugin /etc/mosquitto/auth-plug.soauth_opt_backends mysqlauth_opt_redis_host 162.252.108.129auth_opt_redis_port 12885auth_opt_host sql3.freemysqlhosting.netauth_opt_port 3306auth_opt_dbname sql366410auth_opt_user sql366410auth_opt_pass nX4*jZ3%auth_opt_userquery SELECT pw FROM users WHERE username = ‘%s’auth_opt_superquery SELECT COUNT(*) FROM users WHERE username = ‘%s’ AND super = 1auth_opt_aclquery SELECT topic FROM acls WHERE (username = ‘%s’) AND (rw >= %d)auth_opt_anonusername AnonymouSRead the documentation at https://github.com/jpmens/mosquitto-auth-plug to know more about what these fields are how to customize them.Testing the ACL workings with Mosquitto BrokerOnce you have edited the mosquitto configuration file to indicate the auth-plugin presence and its backend options, you are ready to deploy it. But before that you need to actually create the user and acl databases in your chosen backend database. In the below few steps are illustrated for mysql as an example database, but the steps should be similar for other databases too.As a first step, you want to create tables inside your chosen backend database. For mysql you can do this easily using the sample sql script in the examples directory of mosquitto-auth-plug source codeUse the np application found in the mosquitto-auth-plug directory to generate the PBKDF2 strings for passwordsCreate new user records with generated PBKDF2 strings in the mysql user tableEdit the acl table to add new topics and restrictions for the created usersStart the mosquitto broker with the modified configuration/usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.confRun a sample sub instancemosquitto_sub -t “topic” -u userName -P passwordRun a sample pub instancemosquitto_pub -t ‘topic’ -m message -u userName -P passwordPoints to remember:You never store actual passwords in the backend databases. Only the PBKDF2 strings of the passwords.When you are starting mosquitto_sub and mosquitto_pub you need to use original passwords (and not PBKDF2 strings).PBKDF2 strings are not reversible – that is, for the same password you are not guaranteed to get the same PBKDF2 string every time. They change. Which means, from PBKDF2 string you cannot get back your original password – so you have to remember your passwords (and not rely upon the database to get them back).Big Data Hadoop Practice Exams
csuarezgfxOctober 7, 2015Log in to Replygreat tutorial thank you. I think I finally got it to work. Would you consider walking us through the pub/sub commands using the auth-plug. I think you could make a great tutorial demonstrating how it works, when it works and when it could possibly give you unexpected responses.
csuarezgfxOctober 8, 2015Log in to ReplyThese lines in your config file will cause this error when trying to authenticate:1444251139: |– mosquitto_auth_unpwd_check(S1)1444251139: |– ** checking backend mysqlYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘??S1’’ at line 1config lines:auth_opt_userquery SELECT pw FROM users WHERE username = ‘%s’auth_opt_superquery SELECT COUNT(*) FROM users WHERE username = ‘%s’ AND super = 1auth_opt_aclquery SELECT topic FROM acls WHERE (username = ‘%s’) AND (rw >= %d)all you have to do is replace the curly single quotes with the keyboard straight single quotes and make sure that the final %d also has single quotes:auth_opt_userquery SELECT pw FROM users WHERE username = ‘%s’auth_opt_superquery SELECT COUNT(*) FROM users WHERE username = ‘%s’ AND super = 1auth_opt_aclquery SELECT topic FROM acls WHERE (username = ‘%s’) AND (rw >= ‘%d’)Thank you for the tutorial
My-ClassesOctober 8, 2015Log in to ReplyThank you for the comment. Yes, the quotes are due to the HTML editor transcription and correcting them as you suggested should work.Wish you the besthttp://my-classes.com/
