mosquitto-with-auth/readme.md

# Docker Image containing the Mosquitto MQTT Broker and the mosquitto-auth-plug

This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.

Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.


## Mosquitto MQTT Broker

The Mosquitto MQTT Broker in this Docker image is built beyond the default build configuration with websockets support.


## mosquitto-auth-plug

The mosquitto-auth-plug is build only with the MySQL/MariaDB backend. More than that I do not need at the moment.


## Running the container

The container exposed the ports 1883 (MQTT), 8883 (MQTT over SSL) and 9001 (MQTT over websockets). Only the configuration directory containing `mosquitto.conf` and friends is prepared as a volume.

All logging is send to `stdout`, so it can be inspected using `docker logs -f <mosquitto-container>`

To start the container a script is provided, which might need to adjusted to the actual environment:

    #!/bin/bash

    IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest
    VOLUME=mosquitto-config

    docker volume inspect $VOLUME > /dev/null || docker volume create $VOLUME

    docker pull $IMAGE

    docker run \
    -d \
    --rm \
    -p1883:1883 \
    -p8883:8883 \
    -p9001:9001 \
    -v $VOLUME:/opt/etc/mosquitto \
    --link mariadb \
    --name mosquitto \
    $IMAGE

The container expects the main configuration file in the root of the volume named `mosquitto.conf`.

A very simple configuration, only supporting MQTT on port 1883 is:

    log_dest stdout

    persistence false

    listener 1883
    protocol mqtt
    #allow_anonymous true
    allow_anonymous false

    auth_plugin /opt/lib/go-auth.so
    auth_opt_log_dest stdout
    auth_opt_log_level debug
    auth_opt_backends mysql
    auth_opt_mysql_host mariadb
    auth_opt_mysql_port 3306
    auth_opt_mysql_dbname mosquittoauth
    auth_opt_mysql_user mosquittoauth
    auth_opt_mysql_password ieh4weiF
    auth_opt_mysql_allow_native_passwords true
    auth_opt_mysql_userquery SELECT pw FROM users WHERE username = ?
    auth_opt_mysql_aclquery SELECT topic FROM acls WHERE username = ? AND (rw & ?) != 0

The original readme of the mosquitto-go-auth plugin proposes a different acl query. However, that one didn't work for me.
Maybe the meaning of the access attribute handed over from mosquitto core to the plugin has been changed in between.
Actually, it appears to me that the meaning of this attribute has to be interpreted bitwise: Bit0 (1) is read access, Bit1 (2) is write access (publish), Bit0 and Bit1 (3) is readwrite access and Bit2 (4) is subscribe access. Write access is obviously and verified be test publish and subscribe access is also obviously subscribe. Currently I don't know what is meant be read access. For this reason I'm using a bitwise operation in the acl query. I set the rw column for those users who should have read-only access to 5 (1&4), for users who should only publish to 2 and for those ones who should read and write to 7 (1&2&4).

The required schema in the database is 

    CREATE TABLE users (
        id INTEGER AUTO_INCREMENT,
        username VARCHAR(25) NOT NULL,
        pw VARCHAR(512) NOT NULL,
        super INT(1) NOT NULL DEFAULT 0,
        PRIMARY KEY (id)
    );
    CREATE UNIQUE INDEX users_username ON users (username);

    CREATE TABLE acls (
        id INTEGER AUTO_INCREMENT,
        username VARCHAR(25) NOT NULL,
        topic VARCHAR(256) NOT NULL,
        rw INTEGER(1) NOT NULL DEFAULT 1,	-- 1 is read, 2 is write, 3 is readwrite, 4 is subscribe
        PRIMARY KEY (id)
        );
    CREATE UNIQUE INDEX acls_user_topic ON acls (username, topic(228));

The password is generated using the `pw` tool provided by mosquitto-go-auth, which is included in the image at `/opt/bin`. It can be used either within the container using `docker exec -it <mosquitto-container> /opt/bin/pw`. You may also try to copy it from the container onto your Linux host. It should run, since it is only linked against typical Linux libraries, however, I wouldn't do that.

For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).
readme added 2019-06-12 12:28:07 +02:00			`# Docker Image containing the Mosquitto MQTT Broker and the mosquitto-auth-plug`

adjust readme for new plugin 2019-06-13 12:47:38 +02:00			`This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.`
readme added 2019-06-12 12:28:07 +02:00
			`Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.`


			`## Mosquitto MQTT Broker`

			`The Mosquitto MQTT Broker in this Docker image is built beyond the default build configuration with websockets support.`


			`## mosquitto-auth-plug`

			`The mosquitto-auth-plug is build only with the MySQL/MariaDB backend. More than that I do not need at the moment.`


			`## Running the container`

			The container exposed the ports 1883 (MQTT), 8883 (MQTT over SSL) and 9001 (MQTT over websockets). Only the configuration directory containing `mosquitto.conf` and friends is prepared as a volume.

			All logging is send to `stdout`, so it can be inspected using `docker logs -f <mosquitto-container>`

			`To start the container a script is provided, which might need to adjusted to the actual environment:`

			`#!/bin/bash`

			`IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest`
			`VOLUME=mosquitto-config`

			`docker volume inspect $VOLUME > /dev/null \|\| docker volume create $VOLUME`

			`docker pull $IMAGE`

			`docker run \`
			`-d \`
			`--rm \`
			`-p1883:1883 \`
			`-p8883:8883 \`
			`-p9001:9001 \`
			`-v $VOLUME:/opt/etc/mosquitto \`
			`--link mariadb \`
			`--name mosquitto \`
			`$IMAGE`

			The container expects the main configuration file in the root of the volume named `mosquitto.conf`.

			`A very simple configuration, only supporting MQTT on port 1883 is:`

			`log_dest stdout`

			`persistence false`

			`listener 1883`
			`protocol mqtt`
			`#allow_anonymous true`
			`allow_anonymous false`

adjust readme for new plugin 2019-06-13 12:47:38 +02:00			`auth_plugin /opt/lib/go-auth.so`
			`auth_opt_log_dest stdout`
			`auth_opt_log_level debug`
readme added 2019-06-12 12:28:07 +02:00			`auth_opt_backends mysql`
adjust readme for new plugin 2019-06-13 12:47:38 +02:00			`auth_opt_mysql_host mariadb`
			`auth_opt_mysql_port 3306`
			`auth_opt_mysql_dbname mosquittoauth`
			`auth_opt_mysql_user mosquittoauth`
			`auth_opt_mysql_password ieh4weiF`
			`auth_opt_mysql_allow_native_passwords true`
			`auth_opt_mysql_userquery SELECT pw FROM users WHERE username = ?`
			`auth_opt_mysql_aclquery SELECT topic FROM acls WHERE username = ? AND (rw & ?) != 0`

			`The original readme of the mosquitto-go-auth plugin proposes a different acl query. However, that one didn't work for me.`
			`Maybe the meaning of the access attribute handed over from mosquitto core to the plugin has been changed in between.`
			Actually, it appears to me that the meaning of this attribute has to be interpreted bitwise: Bit0 (1) is read access, Bit1 (2) is write access (publish), Bit0 and Bit1 (3) is readwrite access and Bit2 (4) is subscribe access. Write access is obviously and verified be test publish and subscribe access is also obviously subscribe. Currently I don't know what is meant be read access. For this reason I'm using a bitwise operation in the acl query. I set the rw column for those users who should have read-only access to 5 (1&4), for users who should only publish to 2 and for those ones who should read and write to 7 (1&2&4).
readme added 2019-06-12 12:28:07 +02:00
			`The required schema in the database is`

			`CREATE TABLE users (`
			`id INTEGER AUTO_INCREMENT,`
			`username VARCHAR(25) NOT NULL,`
adjust readme for new plugin 2019-06-13 12:47:38 +02:00			`pw VARCHAR(512) NOT NULL,`
readme added 2019-06-12 12:28:07 +02:00			`super INT(1) NOT NULL DEFAULT 0,`
			`PRIMARY KEY (id)`
			`);`
			`CREATE UNIQUE INDEX users_username ON users (username);`

			`CREATE TABLE acls (`
			`id INTEGER AUTO_INCREMENT,`
			`username VARCHAR(25) NOT NULL,`
			`topic VARCHAR(256) NOT NULL,`
adjust readme for new plugin 2019-06-13 12:47:38 +02:00			`rw INTEGER(1) NOT NULL DEFAULT 1, -- 1 is read, 2 is write, 3 is readwrite, 4 is subscribe`
readme added 2019-06-12 12:28:07 +02:00			`PRIMARY KEY (id)`
			`);`
			`CREATE UNIQUE INDEX acls_user_topic ON acls (username, topic(228));`

adjust readme for new plugin 2019-06-13 12:47:38 +02:00			The password is generated using the `pw` tool provided by mosquitto-go-auth, which is included in the image at `/opt/bin`. It can be used either within the container using `docker exec -it <mosquitto-container> /opt/bin/pw`. You may also try to copy it from the container onto your Linux host. It should run, since it is only linked against typical Linux libraries, however, I wouldn't do that.
readme added 2019-06-12 12:28:07 +02:00
adjust readme for new plugin 2019-06-13 12:47:38 +02:00			`For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).`
readme added 2019-06-12 12:28:07 +02:00