mosquitto mysql_mosquitto权限验证
https://www.lixiaodong.com/?p=1631.安装需要的包sudo apt-get install libc-ares-dev libcurl4-openssl-dev libmysqlclient-dev2.下载mosquitto源码并编译安装从http://mosquitto.org/download/ 下载源码并解压到某个目录,进入该目录编译安装make mosquittosudo make install3.下载mosquitto-auth-plug源码git clone https://github.com/jpmens/mosquitto-auth-plug.git并使用copy命令生成config.mk文件:cp config.mk.in config.mk编辑config.mk:根据需要选择合适的后台。我这里只使用mysql数据库验证用户,BACKEND_MYSQL这一行是yes,其余行都是no。在MOSQUITTO_SRC一行输入mosquitto的源码路径,比如MOSQUITTO_SRC =/root/mosquitto-1.4.4/。在OPENSSLDIR一行输入openssl的路径,比如OPENSSLDIR = /usr/lib/ssl。可以使用以下命令得到openssl的路径:openssl version -a4.进入mosquitto-auth-plug所在目录,使用make命令生成so文件。5.移动so文件到mosquitto目录(不是源码目录,而是安装后的目录)mv auth-plug.so /etc/mosquitto/6.编辑mosquitto配置文件mosquitto-auth-plug的源码里已经有多种范例配置文件,可以使用这些文件。比如,我用mysql做验证,可以使用 examples目录下的mosquitto-mysql.conf。mv mosquitto.conf mosquitto.conf.origin(保留原始配置文件,供以后使用)mv mosquitto-auth-plug目录/examples/mosquitto-mysql.conf mosquitto目录/mosquitto.conf根据实际情况,编辑文件里的auth_plugin,backend,数据库host,端口,数据库名,用户,密码,sql语句等。7.运行mosquitto并观察输出mosquitto -c mosquitto-conf -v问题:1. 输出显示Unable to load auth plugin ".../auth-plug.so"解决:编辑Mosquitto源码目录下的config.mk:WITH_SRV:=no然后重新编译:make cleanmake生成新的so文件。
How to make Access Control Lists (ACL) work for Mosquitto MQTT Broker with Auth Plugin?
If you planning to strengthening your MQTT service, then access control lists (ACL) are mandatory. Mosquitto broker supports this ACL feature through auth plugins.
One versatile auth-plugin for mosquitto that you should consider using is https://github.com/jpmens/mosquitto-auth-plug. It is very flexible, in that it can support multiple backends as auth provider databases, ranging from CDB, Redis to MySQL and Http. However, getting it compiled and making it start to work is not that straight forward or easy. Hence, this post. It gives some starting point to our students who are venturing into Mosquitto Authentication systems to get started.
Building the Mosquitto-Auth-Plugin
The below steps help you for Ubuntu or its variants. Similar steps should get you going with CentOS or other variants if you replace the apt-get commands with their equivalents, such as yum etc.Install required helper and developer packages firstsudo apt-get install libc-ares-dev libcurl4-openssl-dev libmysqlclient-dev
GetMosquittosource and build ittar xvzf mosquitto-1.3.5.tar.gz
cd mosquitto-1.3.5
make mosquitto
sudo make install
Getmosquitto-auth-plugsource and create a suitable configuration filecd mosquitto-auth-plug
cp config.mk.in config.mk
Edit the createdconfig.mkfile to suit your needsvi config.mk
Install the appropriate backend developer files (e.g. redis backend)
Inside themosquitto-auth-plugdirectory use themakecommand to build the plugin and move it next tomosquitto.conf filemake
mv auth-plug.so /etc/mosquitto/
Edit the Mosquitto configuration filemv /etc/mosquitto/mosquitto.conf.example /etc/mosquitto/mosquitto.conf
vi /etc/mosquitto/mosquitto.conf
Editing the Mosquitto configuration for enabling Auth Plugin
Inside your mosquitto.conf file you should indicate the auth-plugin options to let the mosquitto MQTT broker know that you are planning on using an auth-plugin and where it is located on the disk.
Note: Mosquitto MQTT broker usually runs under the identify of an user named mosquitto. So, you should ensure the path to auth-plug.so is accessible to the mosquitto user. You can set permissions using chown and/or chmod commands.
Edit the /etc/mosquitto/mosquitto.conf file to have its content look something like below (you should search for auth_plugin field in that file):
auth_plugin /etc/mosquitto/auth-plug.so
auth_opt_backends mysql
auth_opt_redis_host 162.252.108.129
auth_opt_redis_port 12885
auth_opt_host sql3.freemysqlhosting.net
auth_opt_port 3306
auth_opt_dbname sql366410
auth_opt_user sql366410
auth_opt_pass nX4*jZ3%
auth_opt_userquery SELECT pw FROM users WHERE username = ‘%s’
auth_opt_superquery SELECT COUNT(*) FROM users WHERE username = ‘%s’ AND super = 1
auth_opt_aclquery SELECT topic FROM acls WHERE (username = ‘%s’) AND (rw >= %d)
auth_opt_anonusername AnonymouS
Read the documentation at https://github.com/jpmens/mosquitto-auth-plug to know more about what these fields are how to customize them.
Testing the ACL workings with Mosquitto Broker
Once you have edited the mosquitto configuration file to indicate the auth-plugin presence and its backend options, you are ready to deploy it. But before that you need to actually create the user and acl databases in your chosen backend database. In the below few steps are illustrated for mysql as an example database, but the steps should be similar for other databases too.As a first step, you want to create tables inside your chosen backend database. For mysql you can do this easily using the sample sql script in the examples directory of mosquitto-auth-plug source code
Use the np application found in the mosquitto-auth-plug directory to generate the PBKDF2 strings for passwords
Create new user records with generated PBKDF2 strings in the mysql user table
Edit the acl table to add new topics and restrictions for the created users
Start the mosquitto broker with the modified configuration/usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
Run a sample sub instancemosquitto_sub -t “topic” -u userName -P password
Run a sample pub instancemosquitto_pub -t ‘topic’ -m message -u userName -P password
Points to remember:You never store actual passwords in the backend databases. Only the PBKDF2 strings of the passwords.
When you are starting mosquitto_sub and mosquitto_pub you need to use original passwords (and not PBKDF2 strings).
PBKDF2 strings are not reversible – that is, for the same password you are not guaranteed to get the same PBKDF2 string every time. They change. Which means, from PBKDF2 string you cannot get back your original password – so you have to remember your passwords (and not rely upon the database to get them back).<?php
/*
* 1496415797: New connection from 127.0.0.1 on port 18831.
1496415797: |-- mosquitto_auth_unpwd_check(web)
1496415797: |-- ** checking backend http
1496415797: |-- url=http://127.0.0.1:80/mqttauth/auth
1496415797: |-- data=username=web&password=web&topic=&acc=-1&clientid=
1496415797: |-- getuser(web) AUTHENTICATED=1 by http
1496415797: New client connected from 127.0.0.1 as mosqpub/685591-iZ945iox (c1, k60, u'web').
1496415797: Sending CONNACK to mosqpub/685591-iZ945iox (0, 0)
1496415797: |-- mosquitto_auth_acl_check(..., mosqpub/685591-iZ945iox, web, gpio, MOSQ_ACL_WRITE)
1496415797: |-- url=http://127.0.0.1:80/mqttauth/superuser
1496415797: |-- data=username=web&password=&topic=&acc=-1&clientid=
1496415797: |-- aclcheck(web, gpio, 2) SUPERUSER=Y by http
1496415797: |-- Cached [B31F19D6DEA1F5D102F3535B6BE1F33BAD96B887] for (mosqpub/685591-iZ945iox,web,2)
1496415797: Received PUBLISH from mosqpub/685591-iZ945iox (d0, q0, r0, m0, 'gpio', ... (20 bytes))
1496415797: Received DISCONNECT from mosqpub/685591-iZ945iox
1496415797: Client mosqpub/685591-iZ945iox disconnected.
mosquitto_pub -t /publish/we/22 -h 127.0.0.1 -p 1880 -u we -P we -m "{\"pin\":17,\"value\":0}"
--
-- 表的结构 `mqtt_acls`
--
--
-- 表的结构 `mqtt_users`
--
CREATE TABLE IF NOT EXISTS `mqtt_users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(25) NOT NULL,
`pw` varchar(128) NOT NULL,
`super` int(1) NOT NULL DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY `users_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `mqtt_acls` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(25) NOT NULL,
`topic` varchar(256) NOT NULL,
`rw` int(1) NOT NULL DEFAULT '1' COMMENT '1只读 2读写',
PRIMARY KEY (`id`),
UNIQUE KEY `acls_user_topic` (`username`,`topic`(228))
) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
*/
class mqttauthController extends BaseController {
public function authAction()
{
$user=g("username");
$pw=g("password");
$cnt = ORM::for_table('mqtt_users')->where("username",$user)->where("pw",$pw)->where("enable",1)->count();
if($cnt>0 && $user!="" && $pw!="")
{
return;
}
header('HTTP/1.1 403 Forbidden');
}
public function superuserAction()
{
$user=g("username");
$pw=g("password");
$cnt = ORM::for_table('mqtt_users')->where("username",$user)->where("super",1)->count();
if($cnt>0 && $user!="" && $pw!="")
{
return;
}
header('HTTP/1.1 403 Forbidden');
}
public function aclAction()
{
$user=g("username");
$topic=g("topic");
$acc=g("acc");//1 == SUB, 2 == PUB
if(strPos($topic,"/publish/".$user)===0)
{
die("ACL:".$topic);
}
header('HTTP/1.1 403 Forbidden');
}
}
auth_plugin /etc/mosquitto/auth-plug.so
auth_opt_backends http
auth_opt_http_ip 127.0.0.1
auth_opt_http_port 80
auth_opt_http_hostname tongxinmao.com
auth_opt_http_getuser_uri /mqtt/auth
auth_opt_http_superuser_uri /mqtt/superuser
auth_opt_http_aclcheck_uri /mqtt/acl
mosquitto mysql_mosquitto权限验证相关推荐
- shopnc 支持 支付宝快捷登陆 shopnc权限验证原理说明
为目前使用的是shopnc商场二次开发,shopnc本身做了qq互联和微博快捷登陆的api,做成了集成通用的接口 首先说下基本的这种类型的api访问方式,首先,的有个配置文件,配置你申请的id和key ...
- 【ASP.NET】ASP.NET中权限验证使用OnAuthorization实现
在项目开发中,通常我们都会涉及到用户登录才能访问的网页,比如购物网站,我们浏览商品,添加购物车(以前开发的时候在这里就需要登录用户,但是现在有了缓存的实现,这里可以将商品加入缓存,等到结账的时候再登录 ...
- springboot + 拦截器 + 注解 实现自定义权限验证
springboot + 拦截器 + 注解 实现自定义权限验证 最近用到一种前端模板技术:jtwig,在权限控制上没有用springSecurity.因此用拦截器和注解结合实现了权限控制. 1.1 定 ...
- android token过期怎么跳转登录_用sa-token轻松解决网站权限验证
sa-token是什么? 一个的JavaWeb权限认证框架,强大.简单.好用 与其它权限认证框架相比,sa-token尽力保证两点: - 上手简单:能自动化的配置全部自动化,不让你费脑子 - 功能强大 ...
- 2_MVC+EF+Autofac(dbfirst)轻型项目框架_用户权限验证
前言 接上面两篇 0_MVC+EF+Autofac(dbfirst)轻型项目框架_基本框架 与 1_MVC+EF+Autofac(dbfirst)轻型项目框架_core层(以登陆为例) .在第一篇中介 ...
- 基于 Annotation 拦截的 Spring AOP 权限验证方法
余 清, 软件工程师, IBM 简介: 使用 Annotation 可以非常方便的根据用户的不同角色,分配访问 Java 方法的权限.在 Java Web 开发中,使用这种方法,可以提高系统的松耦合度 ...
- Swagger生成的接口需要权限验证的处理方法
通常开发API的时候需要对接口进行权限验证,而我们在使用Swagger生成接口文档界面的时候,直接调用需要权限验证的接口会提示"当前用户没有登陆" 为了解决此问题,我们需要更改一下 ...
- struts2学习笔记--拦截器(Interceptor)和登录权限验证Demo
理解 Interceptor拦截器类似于我们学过的过滤器,是可以在action执行前后执行的代码.是我们做web开发是经常使用的技术,比如权限控制,日志.我们也可以把多个interceptor连在一起 ...
- 简单扩展shiro 实现NOT、AND、OR权限验证(支持复杂一点的表达式)
2019独角兽企业重金招聘Python工程师标准>>> 简单扩展shiro 实现NOT.AND.OR权限验证(支持复杂一点的表达式) .https://my.oschina.net/ ...
最新文章
- 多线程CreateThread函数的用法及注意事项
- java小编程---生成不重复的随机数列
- Xamarin效果第十六篇之GIS添加Mark
- ZOJ 1760 How Many Shortest Path
- 解读Linux命令格式
- python制作物联网控制软件下载_Python+树莓派制作IoT(物联网)门控设备
- 关于asp.net 中 cookies 的清空
- win10家庭版如何开启组策略
- H5页面快速搭建之高级字体应用实践
- python工具箱系列(三)
- 银行手机APP软件做性能测试吗,浅谈银行开放平台应用系统性能测试
- win7台式计算机型号怎么查,win7怎么看电脑型号 win7电脑型号怎么查
- 3d图形消隐c语言,一种3D图形背面消隐算法及其硬件加速实现
- Chrome之连接到网络 您正在使用的网络可能会要求您访问其登录页面解决方案
- 到底snappy ubuntu core是什么?
- java对象是什么数据类型,Java面试题及解析
- 有个问题,win10系统,网络诊断,将来会自动连接到jinling,什么意思?
- 初中计算机基础知识教程,计算机基础知识(初级中学教程).doc
- VMware 虚拟机安装 OpenWrt 作旁路由 单臂路由 img 镜像转 vmdk 旁路由无法上网 没网络
- 一键修改分辨率bat_BAT批量处理一键修改设置IP(亲测有效)
热门文章
- python爬取网易云音乐歌单
- ICPC训练联盟2021寒假冬令营(2)(部分题解)
- 398489-28-6,1-Boc-3-ethyl-3-azetidinol,3-乙基-3-羟基氮杂环丁烷-1-羧酸叔丁酯的结构式解析
- python输入汉字的代码_基于python的汉字转GBK码实现代码
- 拟合函数参数和误差--最小均方根
- 你不知道的javascript[上]学习总结(第一部分1-3章)
- Clickhouse 取整函数
- 1220F - Gardener Alex(笛卡尔树)
- 用docker + halo搭建自己的博客
- 关于机械硬盘的 CMR 和 SMR 技术