adjust readme for new plugin

This commit is contained in:
Wolfgang Hottgenroth 2019-06-13 12:47:38 +02:00
parent ecff235b92
commit 1e87080c9d
Signed by: wn
GPG Key ID: 6C1E5E531E0D5D7F
5 changed files with 59 additions and 127 deletions

111
LICENSE
View File

@ -20,114 +20,3 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. SOFTWARE.
mosquitto-auth-plug and its components are licensed as follows:
-----------------------------------------------------------------------------
Copyright (c) 2013 Jan-Piet Mens <jp()mens.de>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of mosquitto nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
b64.[ch] is:
--------------------------------------------------------------
/*
* Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Hgskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the Kungliga Tekniska
* Hgskolan and its contributors.
*
* 4. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
TinyCDB (http://www.corpit.ru/mjt/tinycdb.html) is:
--------------------------------------------------------------
The code is in public domain, that is, you may do anything you want with it.
uthash.h is:
-------------------------------
/*
Copyright (c) 2003-2013, Troy D. Hanson http://troydhanson.github.com/uthash/
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
mosquitto
----------------------------------------------------------------------------
This project is dual licensed under the Eclipse Public License 1.0 and the
Eclipse Distribution License 1.0 as described in the epl-v10 and edl-v10 files.
For the particular license files see in the submodule itself.

17
create-schema.sql Normal file
View File

@ -0,0 +1,17 @@
CREATE TABLE users (
id INTEGER AUTO_INCREMENT,
username VARCHAR(25) NOT NULL,
pw VARCHAR(512) NOT NULL,
super INT(1) NOT NULL DEFAULT 0,
PRIMARY KEY (id)
);
CREATE UNIQUE INDEX users_username ON users (username);
CREATE TABLE acls (
id INTEGER AUTO_INCREMENT,
username VARCHAR(25) NOT NULL,
topic VARCHAR(256) NOT NULL,
rw INTEGER(1) NOT NULL DEFAULT 1, -- 1 is read, 2 is write, 3 is readwrite, 4 is subscribe
PRIMARY KEY (id)
);
CREATE UNIQUE INDEX acls_user_topic ON acls (username, topic(228));

1
hints.txt Normal file
View File

@ -0,0 +1 @@
{ "topic": "mock/topic", "clientid": "mock_client", "acc": 1 //1 is read, 2 is write, 3 is readwrite, 4 is subscribe }

21
mosquitto.conf-sample Normal file
View File

@ -0,0 +1,21 @@
log_dest stdout
persistence false
listener 1883
protocol mqtt
#allow_anonymous true
allow_anonymous false
auth_plugin /opt/lib/go-auth.so
auth_opt_log_dest stdout
auth_opt_log_level debug
auth_opt_backends mysql
auth_opt_mysql_host mariadb
auth_opt_mysql_port 3306
auth_opt_mysql_dbname mosquittoauth
auth_opt_mysql_user mosquittoauth
auth_opt_mysql_password xxx
auth_opt_mysql_allow_native_passwords true
auth_opt_mysql_userquery SELECT pw FROM users WHERE username = ?
auth_opt_mysql_aclquery SELECT topic FROM acls WHERE username = ? AND (rw & ?) != 0

View File

@ -1,11 +1,9 @@
# Docker Image containing the Mosquitto MQTT Broker and the mosquitto-auth-plug # Docker Image containing the Mosquitto MQTT Broker and the mosquitto-auth-plug
This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-auth-plug (https://github.com/jpmens/mosquitto-auth-plug, forked into https://github.com/wollud1969/mosquitto-auth-plug) as submodules. This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.
Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created. Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.
Note, please: the author of mosquitto-auth-plug has archived his project because he don't want to be bothered concerning this software he is not longer using anymore. So, please, don't be tempted to send him questions again because you find this image useful but run into problems. Read the available resources first, finally you may contact me.
## Mosquitto MQTT Broker ## Mosquitto MQTT Broker
@ -49,7 +47,6 @@ The container expects the main configuration file in the root of the volume name
A very simple configuration, only supporting MQTT on port 1883 is: A very simple configuration, only supporting MQTT on port 1883 is:
pid_file /var/run/mosquitto.pid
log_dest stdout log_dest stdout
persistence false persistence false
@ -59,22 +56,29 @@ A very simple configuration, only supporting MQTT on port 1883 is:
#allow_anonymous true #allow_anonymous true
allow_anonymous false allow_anonymous false
auth_plugin /opt/lib/auth-plug.so auth_plugin /opt/lib/go-auth.so
auth_opt_log_dest stdout
auth_opt_log_level debug
auth_opt_backends mysql auth_opt_backends mysql
auth_opt_host mariadb auth_opt_mysql_host mariadb
auth_opt_port 3306 auth_opt_mysql_port 3306
auth_opt_dbname mosquittoauth auth_opt_mysql_dbname mosquittoauth
auth_opt_user mosquittoauth auth_opt_mysql_user mosquittoauth
auth_opt_pass xxx auth_opt_mysql_password ieh4weiF
auth_opt_userquery SELECT pw FROM users WHERE username = '%s' auth_opt_mysql_allow_native_passwords true
auth_opt_aclquery SELECT topic FROM acls WHERE username = '%s' and rw >= %d auth_opt_mysql_userquery SELECT pw FROM users WHERE username = ?
auth_opt_mysql_aclquery SELECT topic FROM acls WHERE username = ? AND (rw & ?) != 0
The original readme of the mosquitto-go-auth plugin proposes a different acl query. However, that one didn't work for me.
Maybe the meaning of the access attribute handed over from mosquitto core to the plugin has been changed in between.
Actually, it appears to me that the meaning of this attribute has to be interpreted bitwise: Bit0 (1) is read access, Bit1 (2) is write access (publish), Bit0 and Bit1 (3) is readwrite access and Bit2 (4) is subscribe access. Write access is obviously and verified be test publish and subscribe access is also obviously subscribe. Currently I don't know what is meant be read access. For this reason I'm using a bitwise operation in the acl query. I set the rw column for those users who should have read-only access to 5 (1&4), for users who should only publish to 2 and for those ones who should read and write to 7 (1&2&4).
The required schema in the database is The required schema in the database is
CREATE TABLE users ( CREATE TABLE users (
id INTEGER AUTO_INCREMENT, id INTEGER AUTO_INCREMENT,
username VARCHAR(25) NOT NULL, username VARCHAR(25) NOT NULL,
pw VARCHAR(128) NOT NULL, pw VARCHAR(512) NOT NULL,
super INT(1) NOT NULL DEFAULT 0, super INT(1) NOT NULL DEFAULT 0,
PRIMARY KEY (id) PRIMARY KEY (id)
); );
@ -84,14 +88,14 @@ The required schema in the database is
id INTEGER AUTO_INCREMENT, id INTEGER AUTO_INCREMENT,
username VARCHAR(25) NOT NULL, username VARCHAR(25) NOT NULL,
topic VARCHAR(256) NOT NULL, topic VARCHAR(256) NOT NULL,
rw INTEGER(1) NOT NULL DEFAULT 1, -- 1: read-only, 2: read-write rw INTEGER(1) NOT NULL DEFAULT 1, -- 1 is read, 2 is write, 3 is readwrite, 4 is subscribe
PRIMARY KEY (id) PRIMARY KEY (id)
); );
CREATE UNIQUE INDEX acls_user_topic ON acls (username, topic(228)); CREATE UNIQUE INDEX acls_user_topic ON acls (username, topic(228));
The password is generated using the `np` tool provided by mosquitto-auth-plug, which is included in the image at `/opt/bin`. It can be used either within the container using `docker exec -it <mosquitto-container> /opt/bin/np`. You may also try to copy it from the container onto your Linux host. It should run, since it is only linked against typical Linux libraries, however, I wouldn't do that. The password is generated using the `pw` tool provided by mosquitto-go-auth, which is included in the image at `/opt/bin`. It can be used either within the container using `docker exec -it <mosquitto-container> /opt/bin/pw`. You may also try to copy it from the container onto your Linux host. It should run, since it is only linked against typical Linux libraries, however, I wouldn't do that.
For further information consult the readme and the examples in the mosquitto-auth-plug project (https://github.com/jpmens/mosquitto-auth-plug or https://github.com/wollud1969/mosquitto-auth-plug). For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).