CompanyServicesBlogDownloads
Search…
1.12.3
Welcome
Getting Started
Downloads
VerneMQ / MQTT Introduction
Installing VerneMQ
Installing on Debian and Ubuntu
Installing on CentOS and RHEL
Running VerneMQ using Docker
Configuring VerneMQ
Introduction
The VerneMQ conf file
Auth using files
Auth using a database
MQTT Options
MQTT Listeners
HTTP Listeners
Non-standard MQTT options
Websockets
Logging
Consumer session balancing
Plugins
Shared subscriptions
Advanced Options
Storage
MQTT Bridge
VerneMQ Clustering
Introduction
Inter-node Communication
Dealing with Netsplits
Live Administration
Introduction
Inspecting and managing sessions
Retained messages
Live reconfiguration
Managing Listeners
HTTP API
Tracing
Monitoring
Introduction
$SYSTree
Graphite
Netdata
Prometheus
Health Checker
Status Page
Plugin Development
Introduction
Session lifecycle
Subscribe Flow
Publish Flow
Enhanced Auth Flow
Erlang Boilerplate
Lua Scripting Support
Webhooks
Misc
Loadtesting VerneMQ
Not a tuning guide
Change Open File Limits
Guides
A typical VerneMQ deployment
VerneMQ on Kubernetes
Loadtesting VerneMQ
Clustering during development
Not a tuning guide
Change Open File Limits
Powered By GitBook
Auth using files

Authentication

VerneMQ comes with a simple file-based password authentication mechanism which is enabled by default. If you don't need this it can be disabled by setting:
1
plugins.vmq_passwd = off
Copied!
Per default VerneMQ doesn't accept any client that hasn't been configured using vmq-passwd. If you want to change this and accept any client connection you can set:
1
allow_anonymous = on
Copied!
Warning: Setting allow_anonymous=on completely disables authentication in the broker and plugin authentication hooks are never called! Find more information on the authentication hooks here.
In a production setup you can use the provided password based authentication mechanism, one of the provided authentication Database plugins, or implement your own authentication plugins.
VerneMQ periodically checks the specified password file.
1
vmq_passwd.password_file = /etc/vernemq/vmq.passwd
Copied!
The check interval defaults to 10 seconds and can also be defined in the vernemq.conf.
1
vmq_passwd.password_reload_interval = 10
Copied!
Setting the password_reload_interval = 0 disables automatic reloading.
Both configuration parameters can also be changed at runtime using the vmq-admin script.
Example: to dynamically set the reload interval to 60 seconds on all your cluster nodes, issue the following command on one of the nodes:
sudo vmq-admin set vmq_passwd.password_reload_interval=60 --all

Manage Password Files for VerneMQ

vmq-passwd is a tool for managing password files for the VerneMQ broker. Usernames must not contain ":", passwords are stored in similar format to crypt(3).
How to use vmq-passwd
1
vmq-passwd [-c | -D] passwordfile username
2
​
3
vmq-passwd -U passwordfile
Copied!
Options
-c
Creates a new password file. If the file already exists, it will be overwritten.
-D
Deletes the specified user from the password file.
-U
This option can be used to upgrade/convert a password file with plain text passwords into one using hashed passwords. It will modify the specified file. It does not detect whether passwords are already hashed, so using it on a password file that already contains hashed passwords will generate new hashes based on the old hashes and render the password file unusable. Note, with this option neither usernames or passwords may contain ":".
passwordfile
The password file to modify.
username
The username to add/update/delete.
Examples
Add a user to a new password file: (you can choose an arbitrary name for the password file, it only has to match the configuration in the VerneMQ configuration file).
1
vmq-passwd -c /etc/vernemq/vmq.passwd henry
Copied!
Delete a user from a password file
1
vmq-passwd -D /etc/vernemq/vmq.passwd henry
Copied!
Acknowledgements
The original version of vmq-passwd was developed by Roger Light ([email protected]).
vmq-passwd includes :

Authorization

VerneMQ comes with a simple ACL based authorization mechanism which is enabled by default. If you don't need this it can be disabled by setting:
1
plugins.vmq_acl = off
Copied!
VerneMQ periodically checks the specified ACL file.
1
vmq_acl.acl_file = /etc/vernemq/vmq.acl
Copied!
The check interval defaults to 10 seconds and can also be defined in the vernemq.conf.
1
vmq_acl.acl_reload_interval = 10
Copied!
Setting the acl_reload_interval = 0 disables automatic reloading.
Both configuration parameters can also be changed at runtime using the vmq-admin script.

Managing the ACL entries

Topic access is added with lines of the format:
1
topic [read|write] <topic>
Copied!
Only one space should be put between the topic and the preceeding keyword. Extra spaces will be interpreted as part of the topic! Also note that the ACL parser doesn't accept empty lines between entries.
The access type is controlled using read or write. If not provided then read an write access is granted for the topic. The topic can use the MQTT subscription wildcards + or #.
The first set of topics are applied to all anonymous clients (assuming allow_anonymous = on). User specific ACLs are added after a user line as follows (this is the username not the client id):
1
user <username>
Copied!
It is also possible to define ACLs based on pattern substitution within the the topic. The form is the same as for the topic keyword, but using pattern as the keyword.
1
pattern [read|write] <topic>
Copied!
The patterns available for substitution are:
  • %c to match the client id of the client
  • %u to match the username of the client
The substitution pattern must be the only text for that level of hierarchy. Pattern ACLs apply to all users even if the user keyword has previously been given.
Example:
1
pattern write sensor/%u/data
Copied!
VerneMQ currently doesn't cancel active subscriptions in case the ACL file revokes access for a topic.

Simple ACL Example

1
# ACL for anonymous clients
2
topic bar
3
topic write foo
4
topic read open_to_all
5
​
6
​
7
# ACL for user 'john'
8
user john
9
topic foo
10
topic read baz
11
topic write open_to_all
Copied!
Anonymous users are allowed to
  • publish & subscribe to topic bar.
  • publish to topic foo.
  • subscribe to topic open_to_all.
User john is allowed to
  • publish & subscribe to topic foo.
  • subscribe to topic baz.
  • publish to topic open_to_all.
Note that the ACL file parser is picky on a couple of things. If you doubt wether your ACLs are fully applied, check for the following.
  • Whitespaces at the end of topic names are part of the topic
  • Avoid empty lines in the ACL file.
  • But add a newline at the end of the ACL file.
Configuring VerneMQ - Previous
The VerneMQ conf file
Next - Configuring VerneMQ
Auth using a database
Last modified 2mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Authentication
Manage Password Files for VerneMQ
Authorization
Managing the ACL entries
Simple ACL Example