如何使用 mosquitto-auth-plugin 执行 acl 检查
How to perform acl check with mosquitto-auth-plugin
我已将插件设置为使用 HTTP 后端。当使用用户名和密码连接时, http_getuser_uri 会按应有的方式使用。但我想使用 http_aclcheck_uri.
的 ACL 检查
我的服务器配置:
log_type all
connection_message true
listener 1883 localhost
listener 8883
certfile /etc/mosquitto/certs/cert.pem
cafile /etc/mosquitto/certs/chain.pem
keyfile /etc/mosquitto/certs/privkey.pem
auth_plugin /home/ubuntu/mqtt/mosquitto/auth-plug.so
auth_opt_backends http
auth_opt_http_ip 127.0.0.1
auth_opt_http_port 80
auth_opt_http_getuser_uri /auth
auth_opt_http_superuser_uri /superuser
auth_opt_http_aclcheck_uri /acl
有两个发布事件,但似乎是 mosquitto 执行 acl 检查而不是插件。
日志:
1519727880: New connection from xxx.xxx.xxx.xxx on port 8883.
1519727881: mosquitto_auth_unpwd_check(UserName)
1519727881: ** checking backend http
1519727881: url=http://127.0.0.1:80/auth
1519727881: data=username=UserName&password=PassWord&topic=&acc=-1&clientid=
1519727881: getuser(UserName) AUTHENTICATED=1 by http
1519727881: New client connected from xxx.xxx.xxx.xxx as 110299159666937 (c1, k60, u'UserName').
1519727881: Sending CONNACK to 110299159666937 (0, 0)
1519727881: Received SUBSCRIBE from 110299159666937
1519727881: alarm (QoS 0)
1519727881: 110299159666937 0 alarm
1519727881: Sending SUBACK to 110299159666937
1519727881: Received SUBSCRIBE from 110299159666937
1519727881: alarm (QoS 0)
1519727881: 110299159666937 0 alarm
1519727881: Sending SUBACK to 110299159666937
1519727881: mosquitto_auth_acl_check(..., 110299159666937, UserName, alarm, MOSQ_ACL_WRITE)
1519727881: aclcheck(UserName, alarm, 2) CACHEDAUTH: 0
1519727881: Received PUBLISH from 110299159666937 (d0, q0, r0, m0, 'alarm', ... (31 bytes))
1519727881: mosquitto_auth_acl_check(..., 110299159666937, UserName, alarm, MOSQ_ACL_READ)
1519727881: aclcheck(UserName, alarm, 1) CACHEDAUTH: 0
1519727881: Sending PUBLISH to 110299159666937 (d0, q0, r0, m0, 'alarm', ... (31 bytes))
我是否必须在 mosquitto.conf 中配置一些额外的东西才能将 acl 检查传递到后端?
亲切的问候,
巴特
禁用缓存 (auth_opt_acl_cacheseconds 0) 并在 /superuser 中设置正确的 HTTP-response (4**) 解决了这个问题。
在acl之前调用超级用户(因此必须配置超级用户)。
我已将插件设置为使用 HTTP 后端。当使用用户名和密码连接时, http_getuser_uri 会按应有的方式使用。但我想使用 http_aclcheck_uri.
的 ACL 检查我的服务器配置:
log_type all
connection_message true
listener 1883 localhost
listener 8883
certfile /etc/mosquitto/certs/cert.pem
cafile /etc/mosquitto/certs/chain.pem
keyfile /etc/mosquitto/certs/privkey.pem
auth_plugin /home/ubuntu/mqtt/mosquitto/auth-plug.so
auth_opt_backends http
auth_opt_http_ip 127.0.0.1
auth_opt_http_port 80
auth_opt_http_getuser_uri /auth
auth_opt_http_superuser_uri /superuser
auth_opt_http_aclcheck_uri /acl
有两个发布事件,但似乎是 mosquitto 执行 acl 检查而不是插件。
日志:
1519727880: New connection from xxx.xxx.xxx.xxx on port 8883.
1519727881: mosquitto_auth_unpwd_check(UserName)
1519727881: ** checking backend http
1519727881: url=http://127.0.0.1:80/auth
1519727881: data=username=UserName&password=PassWord&topic=&acc=-1&clientid=
1519727881: getuser(UserName) AUTHENTICATED=1 by http
1519727881: New client connected from xxx.xxx.xxx.xxx as 110299159666937 (c1, k60, u'UserName').
1519727881: Sending CONNACK to 110299159666937 (0, 0)
1519727881: Received SUBSCRIBE from 110299159666937
1519727881: alarm (QoS 0)
1519727881: 110299159666937 0 alarm
1519727881: Sending SUBACK to 110299159666937
1519727881: Received SUBSCRIBE from 110299159666937
1519727881: alarm (QoS 0)
1519727881: 110299159666937 0 alarm
1519727881: Sending SUBACK to 110299159666937
1519727881: mosquitto_auth_acl_check(..., 110299159666937, UserName, alarm, MOSQ_ACL_WRITE)
1519727881: aclcheck(UserName, alarm, 2) CACHEDAUTH: 0
1519727881: Received PUBLISH from 110299159666937 (d0, q0, r0, m0, 'alarm', ... (31 bytes))
1519727881: mosquitto_auth_acl_check(..., 110299159666937, UserName, alarm, MOSQ_ACL_READ)
1519727881: aclcheck(UserName, alarm, 1) CACHEDAUTH: 0
1519727881: Sending PUBLISH to 110299159666937 (d0, q0, r0, m0, 'alarm', ... (31 bytes))
我是否必须在 mosquitto.conf 中配置一些额外的东西才能将 acl 检查传递到后端?
亲切的问候,
巴特
禁用缓存 (auth_opt_acl_cacheseconds 0) 并在 /superuser 中设置正确的 HTTP-response (4**) 解决了这个问题。 在acl之前调用超级用户(因此必须配置超级用户)。