From d4e385eba446c72896805b844d6b3735cba413dd Mon Sep 17 00:00:00 2001 From: DUMAX-VORZET Mathieu Date: Tue, 10 Mar 2020 10:51:00 +0100 Subject: [PATCH] [Integration] Plugin Mosquitto Go Auth Based on MQTT authentication & authorization ChirpStack guide (https://www.chirpstack.io/guides/mqtt-authentication/) and using iegomez's image (here is their GitHub: https://github.com/iegomez/mosquitto-go-auth) --- configuration/mosquitto/acls | 16 ++++++++++++++ configuration/mosquitto/mosquitto.conf | 29 ++++++++++++++++++++++++++ configuration/mosquitto/passwords | 8 +++++++ docker-compose.yml | 4 +++- 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 configuration/mosquitto/acls create mode 100644 configuration/mosquitto/mosquitto.conf create mode 100644 configuration/mosquitto/passwords diff --git a/configuration/mosquitto/acls b/configuration/mosquitto/acls new file mode 100644 index 0000000..4038627 --- /dev/null +++ b/configuration/mosquitto/acls @@ -0,0 +1,16 @@ +user chirpstack_gw +topic write gateway/+/event/+ +topic read gateway/+/command/+ + +user chirpstack_ns +topic read gateway/+/event/+ +topic write gateway/+/command/+ + +user chirpstack_as +topic write application/+/device/+/rx +topic write application/+/device/+/join +topic write application/+/device/+/ack +topic write application/+/device/+/error +topic read application/+/device/+/tx +topic write application/+/device/+/status +topic write application/+/device/+/location diff --git a/configuration/mosquitto/mosquitto.conf b/configuration/mosquitto/mosquitto.conf new file mode 100644 index 0000000..2d987df --- /dev/null +++ b/configuration/mosquitto/mosquitto.conf @@ -0,0 +1,29 @@ +auth_plugin /mosquitto/go-auth.so +auth_opt_backends files, postgres, jwt +auth_opt_check_prefix false +allow_anonymous false + +auth_opt_log_level debug +auth_opt_password_path /etc/mosquitto/passwords +auth_opt_acl_path /etc/mosquitto/acls +auth_opt_cache true +auth_opt_cache_reset true + +auth_opt_pg_host postgresql +auth_opt_pg_dbname chirpstack_as +auth_opt_pg_user chirpstack_as +auth_opt_pg_password chirpstack_as +#auth_opt_pg_userquery select mqtt_key_hash from gateway where name = $1 limit 1 +#auth_opt_pg_aclquery select distinct 'gateway/' || encode(mac, 'hex') || '/+' from gateway where name = $1 and $2 = $2 + +auth_opt_pg_userquery select password_hash from "user" where username = $1 and is_active = true limit 1 +auth_opt_pg_superquery select count(*) from "user" where username = $1 and is_admin = true +auth_opt_pg_aclquery select distinct 'application/' || a.id || '/#' from "user" u inner join organization_user ou on ou.user_id = u.id inner join organization o on o.id = ou.organization_id inner join application a on a.organization_id = o.id where u.username = $1 and $2 = $2 + +auth_opt_jwt_remote false +auth_opt_jwt_secret verysecret +#auth_opt_jwt_db chirpstack_as +auth_opt_jwt_userquery select count(*) from "user" where username = $1 and is_active = true limit 1 +#auth_opt_jwt_superquery select count(*) from "user" where username = $1 and is_admin = true +#auth_opt_jwt_aclquery select distinct 'application/' || a.id || '/#' from "user" u inner join organization_user ou on ou.user_id = u.id inner join organization o on o.id = ou.organization_id inner join application a on a.organization_id = o.id where u.username = $1 and $2 = $2 +auth_opt_jwt_userfield Username diff --git a/configuration/mosquitto/passwords b/configuration/mosquitto/passwords new file mode 100644 index 0000000..07a5f25 --- /dev/null +++ b/configuration/mosquitto/passwords @@ -0,0 +1,8 @@ +# Hash version of "chirpstack_gw", obtained with pw utility +chirpstack_gw:PBKDF2$sha512$100000$Y7Yvp81tQYz5VAUsUw21Sw==$lt3sPQ8z77Rw6GvcBZ7+GFXuE31oI2aJHxiuoVfdjzGBs5OKFmDb0CqM8filkrkQrUUhu79IQw1mWUfAETpqqQ== + +# Hash version of "chirpstack_ns", obtained with pw utility +chirpstack_ns:PBKDF2$sha512$100000$h8cP1J0jJYEfj3EYYIwWcw==$ZYfxrClxzp7NrXbEPoyfX7qMvBoSA9d9WKYfrQzTBB2+Atr9AU8L7NmVLQyNdC1ZfFGHdjRZqaEHH21l4PX9Ow== + +# Hash version of "chirpstack_as", obtained with pw utility +chirpstack_as:PBKDF2$sha512$100000$G4JVSnlEvjtq3zXDg7jTug==$8lh1NbmgoPeNqXc8j1IN9uCkEnJIWUVW06nXhr6ve6o0okoXEiiM3UpIjalBfYuVlBGHVjNUX2tK0tVNzWImKA== diff --git a/docker-compose.yml b/docker-compose.yml index dbca6a1..c2c9621 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,9 +39,11 @@ services: - redisdata:/data mosquitto: - image: eclipse-mosquitto + image: iegomez/mosquitto-go-auth:0.5.0 ports: - 1883:1883 + volumes: + - ./configuration/mosquitto:/etc/mosquitto volumes: postgresqldata: