Security
Authentication
Authentication is the process of verifying the identity of a client.It is an essential part of most applications and can help to protect services from illegal client connections.
Authentication Mechanism
YedMQ supports password authentication.
Password Authentication
YedMQ supports most popular password authentication, which requires the client to provide credentials,such as username and the corresponding password.
YedMQ provides built-in plugins to integration with various backend databases for password authentication.
Authorization
Authorization refers to the premission control over the publish/subscribe operation of the MQTT clients.When a client performs a publish/subscribe operation,YedMQ follows a apecific procedure to query the client`s permission list from the data source.
YedMQ provides built-in plugins to integration with various backend databases for authorization.
Plugins
MySQL_ACL
MySQL_ACL query authorization result with mysql database.
MySQL Table
SQL:
CREATE TABLE users (
id INT PRIMARY KEY,
username VARCHAR(100) NOT NULL,
password VARCHAR(500) NOT NULL,
tenant VARCHAR(100) NOT NULL
);
CREATE INDEX idx_users_username_tenant ON users (username, tenant);
CREATE TABLE acls (
id INT PRIMARY KEY,
username VARCHAR(100) NOT NULL,
tenant VARCHAR(100) NOT NULL,
topic VARCHAR(255) NOT NULL,
action VARCHAR(100) NOT NULL,
result VARCHAR(100) NOT NULL
);
CREATE INDEX idx_acls_username ON acls (username);
CREATE INDEX idx_acls_topic ON acls (topic);
Table users:
- username: the username which the mqtt client provide.
- password: the password which the mqtt client provide.
- tenant: tenant id.
Table acls:
- username: the username which the mqtt client provide.
- tenant: tenant id.
- action: mqtt client operation publish \ subscribe.
- result: action result allow \ deny.
PostgreSQL_ACL
PostgreSQL_ACL query authorization result with postgresql database.
PostgreSQL Table
CREATE TABLE users (
id SERIAL PRIMARY KEY,
username VARCHAR(100) NOT NULL,
password VARCHAR(500) NOT NULL,
tenant VARCHAR(100) NOT NULL
);
CREATE INDEX idx_users_username_tenant ON users (username, tenant);
CREATE TABLE acls (
id SERIAL PRIMARY KEY,
username VARCHAR(100) NOT NULL,
tenant VARCHAR(100) NOT NULL,
topic VARCHAR(255) NOT NULL,
action VARCHAR(100) NOT NULL,
result VARCHAR(100) NOT NULL
);
CREATE INDEX idx_acls_username ON acls (username);
CREATE INDEX idx_acls_topic ON acls (topic);
Table users:
- username: the username which the mqtt client provide.
- password: the password which the mqtt client provide.
- tenant: tenant id.
Table acls:
- username: the username which the mqtt client provide.
- tenant: tenant id.
- action: mqtt client operation publish \ subscribe.
- result: action result allow \ deny.
Redis_ACL
Redis_ACL is primarily used for authentication and authorization by querying Redis.
Add a New User
HSET mqtt_user:{username} password {password} tenant_id {tenant_id}
Example: Allow user user_1 to log in with the password 123456 and set the tenant ID as tenant_1.
HSET mqtt_user:user_1 password 123456 tenant_id tenant_1
Add Subscription and Publish Permissions
YedMQ determines the final result based on the username and Topic. The result is a JSON string containing an action attribute.
HSET mqtt_acl:{username} {topic} '{"action": "subscribe"}'
- action: The client action, which can be publish, subscribe, or all.
Example: Allow user user_1 to both subscribe and publish on the topic /a/b.
HSET mqtt_acl:user_1 /a/b '{"action": "all"}'
File_ACL
File_ACL query authorization result with local file system.
JSON file:
[{
"tenant": ["t1","t2"],
"action": "allow",
"username": ["%"],
"ipaddr": ["%"],
"subscribe": ["%"],
"publish": ["%"]
}]
- tenant: tenant id array
- action: action allow / deny
- username: username array, % respresent anonymous.
- ipaddr: ip address array, % represent any ip address.
- subscribe: subscribe topic array
- publish: publish topic array
Example: According the example json file, it tells the system allow the mqtt client which belongs tenant 1 or tenant 2 and from any ip to publish or subscribe all topics.