LogoLogo
1.10.3
1.10.3
  • Welcome
  • Getting Started
  • Downloads
  • VerneMQ / MQTT Introduction
  • Installation
    • Accepting the VerneMQ EULA
    • Installing on Debian and Ubuntu
    • Installing on CentOS and RHEL
    • Running VerneMQ using Docker
  • Configuration
    • Introduction
    • Auth using files
    • Auth using a database
    • MQTT Options
    • MQTT Listeners
    • HTTP Listeners
    • Non-standard MQTT options
    • Websockets
    • Logging
    • Consumer session balancing
    • Plugins
    • Shared subscriptions
    • Advanced Options
    • Storage
    • MQTT Bridge
  • Clustering
    • Introduction
    • Inter-node Communication
    • Dealing with Netsplits
  • Administration
    • Introduction
    • Inspecting and managing sessions
    • Retained messages
    • Live reconfiguration
    • Managing Listeners
    • HTTP API
    • Tracing
  • Monitoring
    • Introduction
    • $SYSTree
    • Graphite
    • Netdata
    • Prometheus
    • Health Checker
    • Status Page
  • Plugindevelopment
    • Introduction
    • Session lifecycle
    • Subscribe Flow
    • Publish Flow
    • Enhanced Auth Flow
    • Erlang Boilerplate
    • Lua Scripting Support
    • Webhooks
  • Guides
    • A typical VerneMQ deployment
    • VerneMQ on Kubernetes
    • Loadtesting VerneMQ
    • Clustering during development
    • Not a tuning guide
    • Change Open File Limits
Powered by GitBook
On this page
  • Authentication
  • Manage Password Files for VerneMQ
  • Authorization
  • Managing the ACL entries
  • Simple ACL Example

Was this helpful?

Edit on Git
Export as PDF
  1. Configuration

Auth using files

PreviousIntroductionNextAuth using a database

Last updated 4 years ago

Was this helpful?

Authentication

VerneMQ comes with a simple file-based password authentication mechanism which is enabled by default. If you don't need this it can be disabled by setting:

plugins.vmq_passwd = off

Per default VerneMQ doesn't accept any client that hasn't been configured using vmq-passwd. If you want to change this and accept any client connection you can set:

allow_anonymous = on

Warning: Setting allow_anonymous=on completely disables authentication in the broker and plugin authentication hooks are never called! See more information about the authentication hooks .

In a production setup we recommend to use the provided password based authentication mechanism or implement your own authentication plugins.

VerneMQ periodically checks the specified password file.

vmq_passwd.password_file = /etc/vernemq/vmq.passwd

The check interval defaults to 10 seconds and can also be defined in the vernemq.conf.

vmq_passwd.password_reload_interval = 10

Setting the password_reload_interval = 0 disables automatic reloading.

Both configuration parameters can also be changed at runtime using the vmq-admin script.

Manage Password Files for VerneMQ

vmq-passwd is a tool for managing password files for the VerneMQ broker. Usernames must not contain ":", passwords are stored in similar format to .

How to use vmq-passwd

vmq-passwd [-c | -D] passwordfile username

vmq-passwd -U passwordfile

Options

-c

Creates a new password file. If the file already exists, it will be overwritten.

-D

Deletes the specified user from the password file.

-U

This option can be used to upgrade/convert a password file with plain text passwords into one using hashed passwords. It will modify the specified file. It does not detect whether passwords are already hashed, so using it on a password file that already contains hashed passwords will generate new hashes based on the old hashes and render the password file unusable. Note, with this option neither usernames or passwords may contain ":".

passwordfile

The password file to modify.

username

The username to add/update/delete.

Examples

Add a user to a new password file: (you can choose an arbitrary name for the password file, it only has to match the configuration in the VerneMQ configuration file).

vmq-passwd -c /etc/vernemq/vmq.passwd henry

Delete a user from a password file

vmq-passwd -D /etc/vernemq/vmq.passwd henry

Acknowledgements

The original version of vmq-passwd was developed by Roger Light (roger@atchoo.org).

vmq-passwd includes :

  • software developed by the [OpenSSL

  • cryptographic software written by Eric Young

    (eay@cryptsoft.com)

  • software written by Tim Hudson (tjh@cryptsoft.com)

Authorization

VerneMQ comes with a simple ACL based authorization mechanism which is enabled by default. If you don't need this it can be disabled by setting:

plugins.vmq_acl = off

VerneMQ periodically checks the specified ACL file.

vmq_acl.acl_file = /etc/vernemq/vmq.acl

The check interval defaults to 10 seconds and can also be defined in the vernemq.conf.

vmq_acl.acl_reload_interval = 10

Setting the acl_reload_interval = 0 disables automatic reloading.

Both configuration parameters can also be changed at runtime using the vmq-admin script.

Managing the ACL entries

Topic access is added with lines of the format:

topic [read|write] <topic>

Only one space should be put between the topic and the preceeding keyword. Extra spaces will be interpreted as part of the topic! Also note that the ACL parser doesn't accept empty lines between entries.

The access type is controlled using read or write. If not provided then read and write access is granted for the topic. The topic can use the MQTT subscription wildcards + or #.

The first set of topics are applied to all anonymous clients (assuming allow_anonymous = on). User specific ACLs are added after a user line as follows (this is the username not the client id):

user <username>

It is also possible to define ACLs based on pattern substitution within the topic. The form is the same as for the topic keyword, but using pattern as the keyword.

pattern [read|write] <topic>

The patterns available for substitution are:

  • %c to match the client id of the client

  • %u to match the username of the client

The substitution pattern must be the only text for that level of hierarchy. Pattern ACLs apply to all users even if the user keyword has previously been given.

Example:

pattern write sensor/%u/data

VerneMQ currently doesn't cancel active subscriptions in case the ACL file revokes access for a topic.

Simple ACL Example

# ACL for anonymous clients
topic bar
topic write foo
topic read open_to_all


# ACL for user 'john'
user john
topic foo
topic read baz
topic write open_to_all

Anonymous users are allowed to

  • publish & subscribe to topic bar.

  • publish to topic foo.

  • subscribe to topic open_to_all.

User john is allowed to

  • publish & subscribe to topic foo.

  • subscribe to topic baz.

  • publish to topic open_to_all.

Project]() for use in the OpenSSL Toolkit.

http://www.openssl.org/
crypt(3)
here