wn/mosquitto-with-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
65 Commits 4 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Wolfgang Hottgenroth 52cee7a950 add tool
2021-05-21 16:06:42 +02:00
parts
new mosquitto upstream version
2020-06-30 14:57:24 +00:00
tools
add tool
2021-05-21 16:06:42 +02:00
.gitlab-ci.yml
new go version, new upstream versions
2020-07-03 20:06:04 +02:00
.gitmodules
add submodule
2020-06-30 14:43:40 +00:00
create-schema.sql
new go version, new upstream versions
2020-07-03 20:06:04 +02:00
Dockerfile
adjust registry name
2020-06-30 14:49:32 +00:00
hints.txt
adjust readme for new plugin
2019-06-13 12:47:38 +02:00
LICENSE
adjust readme for new plugin
2019-06-13 12:47:38 +02:00
mosquitto-start.sh
persistence included
2019-06-13 17:21:40 +02:00
mosquitto.conf-sample
persistence included
2019-06-13 17:21:40 +02:00
readme.md
normalized schema
2019-10-10 09:40:24 +00:00
VERSION
forgotten version file
2019-06-11 15:52:59 +00:00

readme.md

Docker Image containing the Mosquitto MQTT Broker and the mosquitto-auth-plug

This project includes the mosquitto MQTT broker (https://github.com/eclipse/mosquitto, see also https://mosquitto.org/) and the mosquitto-go-auth (https://github.com/iegomez/mosquitto-go-auth forked into https://github.com/wollud1969/mosquitto-go-auth) as submodules.

Using Gitlab CI and a Dockerfile included in this project a Docker image based on Debian Linux is created.

Mosquitto MQTT Broker

The Mosquitto MQTT Broker in this Docker image is built beyond the default build configuration with websockets support.

mosquitto-go-auth

The mosquitto-go-auth supports a couple of backends and it seems that all backends will be built anyway. For me so far only the MariaDB/MySQL backend is in use and thus tested and documented here.

Running the container

The container exposed the ports 1883 (MQTT), 8883 (MQTT over SSL) and 9001 (MQTT over websockets). Only the configuration directory containing mosquitto.conf and friends is prepared as a volume.

All logging is send to stdout, so it can be inspected using docker logs -f <mosquitto-container>

To start the container a script is provided, which might need to adjusted to the actual environment:

#!/bin/bash

IMAGE=registry.gitlab.com/wolutator/mosquitto-with-auth:latest
VOLUME_CONFIG=mosquitto-config
VOLUME_DATA=mosquitto-data

docker volume inspect $VOLUME_CONFIG > /dev/null || docker volume create $VOLUME_CONFIG
docker volume inspect $VOLUME_DATA > /dev/null || docker volume create $VOLUME_DATA

docker pull $IMAGE

docker run \
    -d \
    --rm \
    -p1883:1883 \
    -p8883:8883 \
    -p9001:9001 \
    -v $VOLUME_CONFIG:/opt/etc/mosquitto \
    -v $VOLUME_DATA:/opt/data \
    --link mariadb \
    --name mosquitto \
    $IMAGE

The container expects the main configuration file in the root of the volume named mosquitto.conf.

A very simple configuration, only supporting MQTT on port 1883 is:

log_dest stdout

persistence true
persistence_location /opt/data/

listener 1883
protocol mqtt
#allow_anonymous true
allow_anonymous false

auth_plugin /opt/lib/go-auth.so
auth_opt_log_dest stdout
auth_opt_log_level debug
auth_opt_backends mysql
auth_opt_mysql_host mariadb
auth_opt_mysql_port 3306
auth_opt_mysql_dbname mosquittoauth
auth_opt_mysql_user mosquittoauth
auth_opt_mysql_password xxx
auth_opt_mysql_allow_native_passwords true
auth_opt_mysql_userquery SELECT pw FROM users WHERE username = ?
auth_opt_mysql_aclquery SELECT topic FROM acls WHERE username = ? AND (rw & ?) != 0

The original readme of the mosquitto-go-auth plugin proposes a different acl query. However, that one didn't work for me. Maybe the meaning of the access attribute handed over from mosquitto core to the plugin has been changed in between. Actually, it appears to me that the meaning of this attribute has to be interpreted bitwise: Bit0 (1) is read access, Bit1 (2) is write access (publish), Bit0 and Bit1 (3) is readwrite access and Bit2 (4) is subscribe access. Write access is obviously and verified be test publish and subscribe access is also obviously subscribe. Currently I don't know what is meant be read access. For this reason I'm using a bitwise operation in the acl query. I set the rw column for those users who should have read-only access to 5 (1&4), for users who should only publish to 2 and for those ones who should read and write to 7 (1&2&4).

The required schema in the database is

CREATE TABLE users_t (
    id INTEGER AUTO_INCREMENT,
    username VARCHAR(25) NOT NULL,
    pw VARCHAR(512) NOT NULL,
    super INT(1) NOT NULL DEFAULT 0,
    PRIMARY KEY (id)
);
CREATE UNIQUE INDEX users_username ON users_t (username);

CREATE OR REPLACE VIEW users AS
  SELECT username, pw, super
    FROM users_t;

CREATE TABLE acls_t (
    id INTEGER AUTO_INCREMENT,
    user INTEGER NOT NULL,
    topic VARCHAR(256) NOT NULL,
    rw INTEGER(1) NOT NULL DEFAULT 1,	-- 1 is read, 2 is write, 3 is readwrite, 4 is subscribe
    PRIMARY KEY (id),
    CONSTRAINT `fk_book_author`
      FOREIGN KEY (user) REFERENCES users_t (id)
      ON DELETE CASCADE
      ON UPDATE CASCADE
    );
CREATE UNIQUE INDEX acls_user_topic ON acls_t (user, topic);

CREATE OR REPLACE VIEW acls AS
  SELECT a.topic, a.rw,
	 u.username
    FROM users_t u, acls_t a
    WHERE a.user = u.id;

The password is generated using the pw tool provided by mosquitto-go-auth, which is included in the image at /opt/bin. It can be used either within the container using docker exec -it <mosquitto-container> /opt/bin/pw. You may also try to copy it from the container onto your Linux host. It should run, since it is only linked against typical Linux libraries, however, I wouldn't do that.

For further information consult the readme and the examples in the mosquitto-go-auth project (https://github.com/iegomez/mosquitto-go-auth or https://github.com/wollud1969/mosquitto-go-auth).

Description
No description provided
Readme 109 KiB
Languages
Python 56%
Shell 23.7%
Dockerfile 20.3%