emqtt emq 的用戶密碼認證

MQTT 認證設置

EMQ 消息服務器認證由一系列認證插件(Plugin)提供，系統支持按用戶名密碼、ClientID 或匿名認證。

系統默認開啟匿名認證(anonymous)，通過加載認證插件可開啟的多個認證模塊組成認證鏈:

           ----------------           ---------------- ------------ Client --> | Username認證 | -ignore-> | ClientID認證 | -ignore-> | 匿名認證 | ---------------- ---------------- ------------ | | | \|/ \|/ \|/ allow | deny allow | deny allow | deny 

注解

EMQ 2.0 消息服務器還提供了 MySQL、PostgreSQL、Redis、MongoDB、HTTP、LDAP 認證插件。

開啟匿名認證

etc/emq.conf 配置啟用匿名認證:

## Allow Anonymous authentication
mqtt.allow_anonymous = true 

EMQ 2.0 版本提供的認證插件包括:

插件	說明
emq_auth_clientid	ClientId 認證/鑒權插件
emq_auth_username	用戶名密碼認證/鑒權插件
emq_auth_ldap	LDAP 認證/鑒權插件
emq_auth_http	HTTP 認證/鑒權插件
emq_auth_mysql	MySQ L認證/鑒權插件
emq_auth_pgsql	Postgre 認證/鑒權插件
emq_auth_redis	Redis 認證/鑒權插件
emq_auth_mongo	MongoDB 認證/鑒權插件

用戶名密碼認證

基於 MQTT 登錄用戶名(username)、密碼(password)認證。

etc/plugins/emq_auth_username.conf 中配置默認用戶:

auth.user.$N.username = admin auth.user.$N.password = public 

啟用 emq_auth_username 插件:

./bin/emqttd_ctl plugins load emq_auth_username

使用 ./bin/emqttd_ctl users 命令添加用戶:

$ ./bin/emqttd_ctl users add <Username> <Password>

ClientId 認證

基於 MQTT 客戶端 ID 認證。

etc/plugins/emq_auth_clientid.conf:

auth.client.$N.clientid = clientid auth.client.$N.password = passwd 

啟用 emq_auth_clientid 插件:

./bin/emqttd_ctl plugins load emq_auth_clientid

LDAP 插件認證

etc/plugins/emq_auth_ldap.conf 配置 LDAP 參數:

auth.ldap.servers = 127.0.0.1 auth.ldap.port = 389 auth.ldap.timeout = 30 auth.ldap.user_dn = uid=%u,ou=People,dc=example,dc=com auth.ldap.ssl = false 

啟用 LDAP 認證插件:

./bin/emqttd_ctl plugins load emq_auth_ldap 

HTTP 插件認證

注解

開啟 HTTP 認證插件后，會終結認證鏈

etc/plugins/emq_auth_http.conf 配置 ‘super_req’, ‘auth_req’:

## Variables: %u = username, %c = clientid, %a = ipaddress, %P = password, %t = topic

auth.http.auth_req = http://127.0.0.1:8080/mqtt/auth auth.http.auth_req.method = post auth.http.auth_req.params = clientid=%c,username=%u,password=%P auth.http.super_req = http://127.0.0.1:8080/mqtt/superuser auth.http.super_req.method = post auth.http.super_req.params = clientid=%c,username=%u 

啟用 HTTP 認證插件:

./bin/emqttd_ctl plugins load emq_auth_http 

MySQL 插件認證

通過 MySQL 數據庫表認證，可創建如下的 ‘mqtt_user’ 表:

CREATE TABLE `mqtt_user` ( `id` int(11) unsigned NOT NULL AUTO_INCREMENT, `username` varchar(100) DEFAULT NULL, `password` varchar(100) DEFAULT NULL, `salt` varchar(20) DEFAULT NULL, `is_superuser` tinyint(1) DEFAULT 0, `created` datetime DEFAULT NULL, PRIMARY KEY (`id`), UNIQUE KEY `mqtt_username` (`username`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; 

etc/plugins/emq_auth_mysql.conf 配置 ‘super_query’, ‘auth_query’, ‘password_hash’:

## Mysql Server
auth.mysql.server = 127.0.0.1:3306 ## Mysql Pool Size auth.mysql.pool = 8 ## Mysql Username ## auth.mysql.username = ## Mysql Password ## auth.mysql.password = ## Mysql Database auth.mysql.database = mqtt ## Variables: %u = username, %c = clientid ## Authentication Query: select password only auth.mysql.auth_query = select password from mqtt_user where username = '%u' limit 1 ## Password hash: plain, md5, sha, sha256, pbkdf2 auth.mysql.password_hash = sha256 ## %% Superuser Query auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1 

注解

如果系統已有MQTT認證表，可通過配置’auth_query’查詢語句集成。

啟用 MySQL 認證插件:

./bin/emqttd_ctl plugins load emq_auth_mysql 

Postgre 插件認證

通過 PostgreSQL 數據庫表認證，可創建如下的 ‘mqtt_user’ 表:

CREATE TABLE mqtt_user ( id SERIAL primary key, is_superuser boolean, username character varying(100), password character varying(100), salt character varying(40) ); 

etc/plugins/emq_auth_pgsql.conf 配置 ‘auth_query’、’password_hash’:

## Postgre Server
auth.pgsql.server = 127.0.0.1:5432 auth.pgsql.pool = 8 auth.pgsql.username = root #auth.pgsql.password = auth.pgsql.database = mqtt auth.pgsql.encoding = utf8 auth.pgsql.ssl = false ## Variables: %u = username, %c = clientid, %a = ipaddress ## Authentication Query: select password only auth.pgsql.auth_query = select password from mqtt_user where username = '%u' limit 1 ## Password hash: plain, md5, sha, sha256, pbkdf2 auth.pgsql.password_hash = sha256 ## sha256 with salt prefix ## auth.pgsql.password_hash = salt sha256 ## sha256 with salt suffix ## auth.pgsql.password_hash = sha256 salt ## Superuser Query auth.pgsql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1 

啟用 Postgre 認證插件:

./bin/emqttd_ctl plugins load emq_auth_pgsql

Redis 插件認證

Redis 認證。MQTT 用戶記錄存儲在 Redis Hash, 鍵值: “mqtt_user:<Username>”

etc/plugins/emq_auth_redis.conf 設置 ‘super_cmd’、’auth_cmd’、’password_hash’:

## Redis Server
auth.redis.server = 127.0.0.1:6379 ## Redis Pool Size auth.redis.pool = 8 ## Redis Database auth.redis.database = 0 ## Redis Password ## auth.redis.password = ## Variables: %u = username, %c = clientid ## Authentication Query Command auth.redis.auth_cmd = HGET mqtt_user:%u password ## Password hash: plain, md5, sha, sha256, pbkdf2 auth.redis.password_hash = sha256 ## Superuser Query Command auth.redis.super_cmd = HGET mqtt_user:%u is_superuser 

啟用 Redis 認證插件:

./bin/emqttd_ctl plugins load emq_auth_redis

MongoDB 插件認證

按 MongoDB 用戶集合認證，例如創建 ‘mqtt_user’ 集合:

{
    username: "user", password: "password hash", is_superuser: boolean (true, false), created: "datetime" } 

etc/plugins/emq_auth_mongo.conf 設置 ‘super_query’、’auth_query’:

## Mongo Server
auth.mongo.server = 127.0.0.1:27017 ## Mongo Pool Size auth.mongo.pool = 8 ## Mongo User ## auth.mongo.user = ## Mongo Password ## auth.mongo.password = ## Mongo Database auth.mongo.database = mqtt ## auth_query auth.mongo.auth_query.collection = mqtt_user auth.mongo.auth_query.password_field = password auth.mongo.auth_query.password_hash = sha256 auth.mongo.auth_query.selector = username=%u ## super_query auth.mongo.super_query.collection = mqtt_user auth.mongo.super_query.super_field = is_superuser auth.mongo.super_query.selector = username=%u 

啟用 MongoDB 認證插件:

./bin/emqttd_ctl plugins load emq_auth_mongo