Question around Auth : Handling user level acl with unique clientId
55 views
Skip to first unread message
Sai Prakash Reddy
Jan 17, 2024, 10:14:21 AM1/17/24
to vernemq-users
Hi,
I am trying to implement MQTT as an update pusher to my android app. Our customer base is high around 1M DAU. I am trying to find a secure way to productions this.
1. I tried Auth with Postgres :
Issue: since each of the customers is going to have a unique client, prefilling the client ID into acl_table doesn't make sense to me, while using this approach. (Each client would be subscribing to a pattern using the %c . , for my approach)
2. I implement Auth with Files :
Issue: I don't see a straightforward way of being able to create multiple users.
like, I would want to create users service_user, android_client , infra_user etc
and add ACL to each user defining the granularity in authorization .
Basically, how do I have an auth mechanism that supports unique client ID and has different acl based on the user name .
Appreciate the help .
Thanks
Sai Prakash
I am trying to implement MQTT as an update pusher to my android app. Our customer base is high around 1M DAU. I am trying to find a secure way to productions this.
1. I tried Auth with Postgres :
Issue: since each of the customers is going to have a unique client, prefilling the client ID into acl_table doesn't make sense to me, while using this approach. (Each client would be subscribing to a pattern using the %c . , for my approach)
2. I implement Auth with Files :
Issue: I don't see a straightforward way of being able to create multiple users.
like, I would want to create users service_user, android_client , infra_user etc
and add ACL to each user defining the granularity in authorization .
Basically, how do I have an auth mechanism that supports unique client ID and has different acl based on the user name .
Appreciate the help .
Thanks
Sai Prakash
André Fatton
Jan 18, 2024, 10:34:34 AM1/18/24
to vernemq-users
Hi,
Thanks.
The MQTT spec recommends alignement of ClientID, Username, Password. This is exactly what the VerneMQ database auth plugins do.
See: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901267
"In particular, the implementation should check that the Client is authorized to use the Client Identifier as this gives access to the MQTT Session State (described in section 4.1). This authorization check is to protect against the case where one Client, accidentally or maliciously, provides a Client Identifier that is already being used by some other Client."
Please do some research on this and only decide to lower security (by ignoring ClientIDs) after the implications are clear. (technically you could "ignore" the ClientIDs by editing the DB Lua scripts)
With kind regards,
André
See: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901267
"In particular, the implementation should check that the Client is authorized to use the Client Identifier as this gives access to the MQTT Session State (described in section 4.1). This authorization check is to protect against the case where one Client, accidentally or maliciously, provides a Client Identifier that is already being used by some other Client."
Please do some research on this and only decide to lower security (by ignoring ClientIDs) after the implications are clear. (technically you could "ignore" the ClientIDs by editing the DB Lua scripts)
With kind regards,
André
Sai Prakash Reddy
Jan 18, 2024, 1:27:29 PM1/18/24
to André Fatton, vernemq-users
Hi André
Thanks for the info .
One more question , is this general use case to create more than one user while using the auth with files ?
Vmq_auth Seems to override the vmq.passwd file every time I try to create multiple users . Documentation mostly covers single user and anonymous user .
Is there a way to create multiple user in the open source build ? (I am new to erland and barely understand the internals but I am working on it . )
--
You received this message because you are subscribed to a topic in the Google Groups "vernemq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vernemq-users/5OiCA1ePif4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vernemq-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vernemq-users/394d3b1f-001a-4295-9687-04616661074bn%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
André Fatton
Jan 18, 2024, 3:12:30 PM1/18/24
to vernemq-users
Hi,
You are overwriting the password file, refer to the docs here https://docs.vernemq.com/v/master/configuring-vernemq/file-auth#manage-password-files-for-vernemq
(don't use '-c' or '-cf' options when you want to add more users to an existing pw file).
A.
Hi AndréThanks for the info .One more question , is this general use case to create more than one user while using the auth with files ?Vmq_auth Seems to override the vmq.passwd file every time I try to create multiple users . Documentation mostly covers single user and anonymous user .Is there a way to create multiple user in the open source build ? (I am new to erland and barely understand the internals but I am working on it . )
Sai Prakash Reddy
Jan 19, 2024, 4:23:07 AM1/19/24
to André Fatton, vernemq-users
this helped .
this part of the documentation tricked me , it doesnt specify that the empty flag is an option . I'll probably contribute this piece into the documentation to make it more clear for starters like me .
thanks Andre
vmq-passwd [-c | -D] passwordfile username
vmq-passwd -U passwordfile
this part of the documentation tricked me , it doesnt specify that the empty flag is an option . I'll probably contribute this piece into the documentation to make it more clear for starters like me .
thanks Andre
To view this discussion on the web visit https://groups.google.com/d/msgid/vernemq-users/0a3c434e-9aa5-4479-95b5-b6309a968c57n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages