Skip to main content

Security

YedMQ provides a multi-layered security architecture to ensure the safety of message transmission, client access, and system management.

Transport Security (TLS/SSL)​

YedMQ supports encrypted connections to prevent eavesdropping and man-in-the-middle attacks.

MQTT over TLS​

You can enable secure MQTT connections (default port 8883) by configuring the tcp_tls listener in yedmq.toml:

[listener.tcp_tls]
external = "0.0.0.0:8883"
cert_file = "/path/to/cert.pem"
key_file = "/path/to/key.pem"

MQTT over WSS​

For web applications, YedMQ supports secure WebSockets (default port 8084):

[listener.wss]
external = "0.0.0.0:8084"
cert_file = "/path/to/cert.pem"
key_file = "/path/to/key.pem"

Authentication and Authorization​

YedMQ uses a flexible plugin-based system for authentication and authorization.

Default Policies​

If no security plugins are loaded, or if a plugin does not explicitly handle a request, YedMQ follows the default policies defined in yedmq.toml:

[mqtt]
default_authentication = "allow" # Options: "allow", "deny"
default_authorization = "allow"  # Options: "allow", "deny"
  • allow: Access is permitted by default.
  • deny: Access is rejected unless specifically allowed by a plugin.

Plugin-based Authentication​

The authentication process verifies the identity of a client during the connection phase. A security plugin can intercept the connection request and validate:

  • Username and Password
  • Client ID
  • Client Certificate
  • IP Address

Once authenticated, the plugin can also assign the client to a specific Tenant ID, ensuring data isolation.

Plugin-based Authorization (ACL)​

Authorization controls what actions an authenticated client can perform. YedMQ supports Access Control Lists (ACL) via plugins for:

  • Publish: Permission to send messages to a specific topic.
  • Subscribe: Permission to receive messages from a specific topic.

Plugins can implement complex logic, such as querying databases (MySQL, PostgreSQL, Redis) or checking local policy files to determine permissions.

Management API Security​

The YedMQ REST API is protected by Basic Authentication. You must define authorized users in the yedmq.toml file to access management features:

[listener.api.auth]
users = [
    { username = "admin", password = "your_secure_password" }
]

All requests to the /api/v1/ endpoints must include the Authorization header with valid credentials.

Tenant Isolation​

Security in YedMQ is deeply integrated with its multi-tenancy architecture. Each tenant is a completely isolated environment:

  • Clients from different tenants cannot communicate.
  • Topics are namespaced per tenant.
  • A security breach in one tenant does not affect the data integrity of others.

For more details on how to configure tenants, see the Multiple Tenant documentation.