我的书签
添加书签
移除书签认证鉴权
系统默认开启匿名认证(Anonymous),通过加载认证插件可开启的多个认证模块组成认证链:
匿名认证设置
匿名认证是认证链条最后一个环节, etc/emqx.conf 中默认启用匿名认证,产品部署建议关闭:
访问控制(ACL)
EMQ X 消息服务器通过 ACL(Access Control List) 实现 MQTT 客户端访问控制。
ACL 访问控制规则定义:
MQTT 客户端发起订阅/发布请求时,EMQ X 消息服务器的访问控制模块,会逐条匹配 ACL 规则,直到匹配成功为止:
访问控制设置
EMQ X 消息服务器访问控制功能在 emqx.conf 配置文件中设置:
## 当未开启认证插件、或认证请求被所有认证插件忽略时,是否允许该用户以匿名身份登录allow_anonymous = true## 所有 ACL 规则都不匹配时是否允许访问acl_nomatch = allow## ACL 规则文件acl_file = etc/acl.conf## 是否开启 ACL 缓存功能enable_acl_cache = on## ACL 最大缓存数量acl_cache_max_size = 32## ACL 缓存清理周期acl_cache_ttl = 1m## 配置 ACL 检查失败时的操作acl_deny_action = ignore
ACL 规则默认从 etc/acl.conf 中获取,在 EMQ X 启动时加载到内存:
%% 允许 'dashboard' 订阅 '$SYS/#'{allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.%% 允许来自 localhost 的客户端订阅所有主题{allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.%% 拒绝客户端订阅 '$SYS/#' and '#'{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.## 允许所有{allow, all}.
ACL 规则修改后可通过命令行重新加载:
$ ./bin/emqx_ctl acl reloadreload acl_internal successfully
EMQ X 支持 ClientId、Username、HTTP、OpenLDAP、MySQL、Redis、PostgreSQL、MongoDB、JWT 多种认证集成方式,以认证插件方式提供可同时加载多个形成认证链。
EMQ X 认证插件配置文件,在 /etc/emqx/plugins/(RPM/DEB 安装) 或 etc/plugins/(独立安装) 目录:
ClientID 认证插件配置
配置文件 emqx_auth_clientid.conf,配置加密方式:
## 默认 用户列表 试例:##auth.client.1.clientid = id##auth.client.1.password = passwd##auth.client.2.clientid = dev:devid##auth.client.2.password = passwd2##auth.client.3.clientid = app:appid##auth.client.3.password = passwd3##auth.client.4.clientid = client~!@#$%^&*()_+##auth.client.4.password = passwd~!@#$%^&*()_+## 密码 hash 方式.#### 值: plain | md5 | sha | sha256auth.client.password_hash = sha256
加载 ClientId 认证插件:
./bin/emqx_ctl plugins load emqx_auth_clientid
通过
./bin/emqx_ctl管理命令行添加用户:./bin/emqx_ctl clientid add \<ClientId> \<Password>
通过 HTTP API 添加用户:
POST api/v3/auth_clientid{"clientid": "clientid","password": "password"}
Username 认证插件配置
配置文件 emqx_auth_username.conf,配置加密方式:
## 默认 用户列表 试例:\##auth.user.1.username = admin\##auth.user.1.password = public\##auth.user.2.username = feng@emqtt.io\##auth.user.2.password = public\##auth.user.3.username = name~!@#$%^&*()_+\##auth.user.3.password = pwsswd~!@#$%^&*()_+## 密码 hash 方式.#### 值: plain | md5 | sha | sha256auth.user.password_hash = sha256
加载 Username 认证插件:
./bin/emqx_ctl plugins load emqx_auth_username
加载插件后,可以通过以下两种方式添加用户:
通过
./bin/emqx_ctl管理命令行添加用户:$ ./bin/emqx_ctl users add <Username> <Password>
通过 HTTP API 添加用户:
POST api/v3/auth_username{"username": "username","password": "password"}
OpenLDAP 认证插件配置
配置文件 emqx_auth_ldap.conf,配置 OpenLDAP 服务器参数:
## OpenLDAP 服务器列表auth.ldap.servers = 127.0.0.1## OpenLDAP 服务器端口auth.ldap.port = 389## OpenLDAP 连接池大小auth.ldap.pool = 8## OpenLDAP Bind DN.auth.ldap.bind_dn = cn=root,dc=emqx,dc=io## OpenLDAP Bind 密码.auth.ldap.bind_password = public## OpenLDAP 查询超时时间auth.ldap.timeout = 30s## OpenLDAP Device DN.auth.ldap.device_dn = ou=device,dc=emqx,dc=io## 指定的 ObjectClassauth.ldap.match_objectclass = mqttUser## username 的属性类型auth.ldap.username.attributetype = uid## password 的属性类型auth.ldap.password.attributetype = userPassword## 是否开启 SSLauth.ldap.ssl = false
加载 OpenLDAP 认证插件:
./bin/emqx_ctl plugins load emqx_auth_ldap
配置文件 emqx_auth_http.conf,设置 HTTP 请求相关参数
## HTTP 请求超时时间,0 表示永不超时## auth.http.request.timeout = 0## 连接超时时间,0 表示永不超时## auth.http.request.connect_timout = 0## HTTP 请求重传次数auth.http.request.retry_times = 3## HTTP 请求重传间隔auth.http.request.retry_interval = 1s## 请求重传使用了指数退避机制, 实际重传间隔为 `interval * backoff ^ times`auth.http.request.retry_backoff = 2.0
设置认证 URL 及其参数:
设置超级用户 URL 及其参数:
auth.http.super_req = http://127.0.0.1:8991/mqtt/superuserauth.http.super_req.method = postauth.http.super_req.params = clientid=%c,username=%u
设置访问控制(ACL) URL 及其参数:
## 'access' parameter: sub = 1, pub = 2auth.http.acl_req = http://127.0.0.1:8991/mqtt/aclauth.http.acl_req.method = getauth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t
HTTP 认证/访问控制(ACL)服务器 API 设计:
认证/ACL 成功,API 返回 200认证/ACL 失败,API 返回 4xx
./bin/emqx_ctl plugins load emqx_auth_http
MySQL 认证插件配置
配置文件 emqx_auth_mysql.conf, 默认的 MQTT 用户、ACL 库表和认证设置:
CREATE TABLE `mqtt_user` (`id` int(11) unsigned NOT NULL AUTO_INCREMENT,`username` varchar(100) DEFAULT NULL,`password` varchar(100) DEFAULT NULL,`salt` varchar(100) DEFAULT NULL,`is_superuser` tinyint(1) DEFAULT 0,`created` datetime DEFAULT NULL,PRIMARY KEY (`id`),) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Tip
用户可自定义认证用户表,通过 auth_query 配置查询语句。
MQTT 访问控制表
CREATE TABLE `mqtt_acl` (`id` int(11) unsigned NOT NULL AUTO_INCREMENT,`allow` int(1) DEFAULT NULL COMMENT '0: deny, 1: allow',`ipaddr` varchar(60) DEFAULT NULL COMMENT 'IpAddress',`username` varchar(100) DEFAULT NULL COMMENT 'Username',`clientid` varchar(100) DEFAULT NULL COMMENT 'ClientId',`access` int(2) NOT NULL COMMENT '1: subscribe, 2: publish, 3: pubsub',`topic` varchar(100) NOT NULL DEFAULT '' COMMENT 'Topic Filter',PRIMARY KEY (`id`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;INSERT INTO `mqtt_acl` (`id`, `allow`, `ipaddr`, `username`, `clientid`, `access`, `topic`)VALUES(1,1,NULL,'$all',NULL,2,'#'),(2,0,NULL,'$all',NULL,1,'$SYS/#'),(3,0,NULL,'$all',NULL,1,'eq #'),(4,1,'127.0.0.1',NULL,NULL,2,'$SYS/#'),(5,1,'127.0.0.1',NULL,NULL,2,'#'),(6,1,NULL,'dashboard',NULL,1,'$SYS/#');
配置 MySQL 服务器地址
## Mysql 服务器地址auth.mysql.server = 127.0.0.1:3306## Mysql 连接池大小auth.mysql.pool = 8## Mysql 用户名## auth.mysql.username =## Mysql 密码## auth.mysql.password =## Mysql 数据库名auth.mysql.database = mqtt## MySQL 查询超时## auth.mysql.query_timeout = 5s
配置 MySQL 认证查询语句
## 认证查询语句#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.mysql.auth_query = select password from mqtt_user where username = '%u' limit 1## Password hash: plain, md5, sha, sha256, pbkdf2, bcryptauth.mysql.password_hash = sha256## sha256 with salt prefix## auth.mysql.password_hash = salt,sha256## sha256 with salt suffix## auth.mysql.password_hash = sha256,salt## bcrypt with salt only prefix## auth.mysql.password_hash = salt,bcrypt## pbkdf2 with macfun iterations dklen## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512## auth.mysql.password_hash = pbkdf2,sha256,1000,20## 超级用户查询语句#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
配置 MySQL 访问控制查询语句
## ACL 查询语句#### Variables:## - %a: ipaddr## - %u: username## - %c: clientidauth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
加载 MySQL 认证插件
./bin/emqx_ctl plugins load emqx_auth_mysql
PostgreSQL 认证插件配置
配置文件 emqx_auth_pgsql.conf, 默认的 MQTT 用户、ACL 库表和认证设置:
PostgreSQL MQTT 用户表
CREATE TABLE mqtt_user (id SERIAL primary key,is_superuser boolean,username character varying(100),password character varying(100),salt character varying(100));
Tip
若用户自定义认证用户表,则需要通过 auth_query 自行配置查询语句。
PostgreSQL MQTT 访问控制表
CREATE TABLE mqtt_acl (id SERIAL primary key,allow integer,ipaddr character varying(60),username character varying(100),clientid character varying(100),access integer,topic character varying(100));INSERT INTO mqtt_acl (id, allow, ipaddr, username, clientid, access, topic)VALUES(1,1,NULL,'$all',NULL,2,'#'),(2,0,NULL,'$all',NULL,1,'$SYS/#'),(3,0,NULL,'$all',NULL,1,'eq #'),(4,1,'127.0.0.1',NULL,NULL,2,'$SYS/#'),(5,1,'127.0.0.1',NULL,NULL,2,'#'),(6,1,NULL,'dashboard',NULL,1,'$SYS/#');
配置 PostgreSQL 服务器地址
## PostgreSQL 服务器auth.pgsql.server = 127.0.0.1:5432## PostgreSQL 连接池大小auth.pgsql.pool = 8## PostgreSQL 用户名auth.pgsql.username = root## PostgreSQL 密码## auth.pgsql.password =## PostgreSQL 数据库名auth.pgsql.database = mqtt## PostgreSQL 字符编码方式auth.pgsql.encoding = utf8## 是否开启 SSLauth.pgsql.ssl = false## auth.pgsql.ssl_opts.keyfile =## auth.pgsql.ssl_opts.certfile =## auth.pgsql.ssl_opts.cacertfile =
## 认证查询语句#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.pgsql.auth_query = select password from mqtt_user where username = '%u' limit 1## Password hash: plain, md5, sha, sha256, pbkdf2, bcryptauth.pgsql.password_hash = sha256## sha256 with salt prefix## auth.pgsql.password_hash = salt,sha256## sha256 with salt suffix## auth.pgsql.password_hash = sha256,salt## bcrypt with salt prefix## auth.pgsql.password_hash = salt,bcrypt## pbkdf2 with macfun iterations dklen## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512## auth.pgsql.password_hash = pbkdf2,sha256,1000,20## 超级用户查询语句#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.pgsql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
配置 PostgreSQL 访问控制语句
## ACL 查询语句#### Variables:## - %a: ipaddress## - %u: username## - %c: clientidauth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
加载 PostgreSQL 认证插件
Redis 认证插件配置
配置文件 emqx_auth_redis.conf:
配置 Redis 服务器地址
## Redis 服务器集群类型auth.redis.type = single## Redis 服务器列表auth.redis.server = 127.0.0.1:6379## Redis Sentinel## auth.redis.server = 127.0.0.1:26379## Redis Sentinel 集群名称## auth.redis.sentinel = mymaster## Redis 连接池大小auth.redis.pool = 8## Redis 数据库名auth.redis.database = 0## Redis 密码## Redis 查询超时## auth.redis.query_timeout = 5s
配置认证查询命令
## Variables: %u = username, %c = clientid## 认证查询命令#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.redis.auth_cmd = HGET mqtt_user:%u password## Password hash: plain, md5, sha, sha256, pbkdf2, bcryptauth.redis.password_hash = plain## sha256 with salt prefix## auth.redis.password_hash = salt,sha256## sha256 with salt suffix## auth.redis.password_hash = sha256,salt## bcrypt with salt prefix## auth.redis.password_hash = salt,bcrypt## pbkdf2 with macfun iterations dklen## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512## auth.redis.password_hash = pbkdf2,sha256,1000,20## 超级用户查询命令#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.redis.super_cmd = HGET mqtt_user:%u is_superuser
配置访问控制查询命令
## ACL 查询命令#### Variables:## - %u: username## - %c: clientidauth.redis.acl_cmd = HGETALL mqtt_acl:%u
Redis 认证用户 Hash
默认采用 Hash 存储认证用户:
HSET mqtt_user:\<username> is_superuser 1HSET mqtt_user:\<username> password "passwd"
Redis ACL 规则 Hash
默认采用 Hash 存储 ACL 规则:
HSET mqtt_acl:\<username> topic1 1HSET mqtt_acl:\<username> topic2 2HSET mqtt_acl:\<username> topic3 3
Tip
1: subscribe, 2: publish, 3: pubsub
加载 Redis 认证插件
./bin/emqx_ctl plugins load emqx_auth_redis
配置文件 emqx_auth_mongo.conf, MongoDB、MQTT 用户、ACL 集合设置:
## MongoDB Topology 类型: single | unknown | sharded | rsauth.mongo.type = single## MongoDB 服务器列表auth.mongo.server = 127.0.0.1:27017## MongoDB 连接池大小auth.mongo.pool = 8## MongoDB 用户名## auth.mongo.user =## MongoDB 密码## auth.mongo.password =## MongoDB 数据库名auth.mongo.database = mqtt## MongoDB 超时时间## auth.mongo.query_timeout = 5s## 是否开启 SSL## auth.mongo.ssl = false## SSL keyfile.## auth.mongo.ssl_opts.keyfile =## SSL certfile.## auth.mongo.ssl_opts.certfile =## SSL cacertfile.## auth.mongo.ssl_opts.cacertfile =## MongoDB 写模式## auth.mongo.w_mode =## MongoDB 读模式## auth.mongo.r_mode =## MongoDB topology 选项auth.mongo.topology.pool_size = 1auth.mongo.topology.max_overflow = 0## auth.mongo.topology.overflow_ttl = 1000## auth.mongo.topology.overflow_check_period = 1000## auth.mongo.topology.local_threshold_ms = 1000## auth.mongo.topology.connect_timeout_ms = 20000## auth.mongo.topology.socket_timeout_ms = 100## auth.mongo.topology.server_selection_timeout_ms = 30000## auth.mongo.topology.wait_queue_timeout_ms = 1000## auth.mongo.topology.heartbeat_frequency_ms = 10000## auth.mongo.topology.min_heartbeat_frequency_ms = 1000
配置认证查询集合
## auth_queryauth.mongo.auth_query.collection = mqtt_userauth.mongo.auth_query.password_field = password## Password hash: plain, md5, sha, sha256, bcryptauth.mongo.auth_query.password_hash = sha256## sha256 with salt suffix## auth.mongo.auth_query.password_hash = sha256,salt## sha256 with salt prefix## auth.mongo.auth_query.password_hash = salt,sha256## bcrypt with salt prefix## auth.mongo.auth_query.password_hash = salt,bcrypt## pbkdf2 with macfun iterations dklen## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20## 认证 Selector#### Variables:## - %u: username## - %c: clientid## - %C: common name of client TLS cert## - %d: subject of client TLS certauth.mongo.auth_query.selector = username=%u## 超级用户 Selectorauth.mongo.super_query = onauth.mongo.super_query.collection = mqtt_userauth.mongo.super_query.super_field = is_superuserauth.mongo.super_query.selector = username=%u
配置 ACL 查询集合
## 是否开启 ACL 功能auth.mongo.acl_query = onauth.mongo.aclquery.collection = mqtt_acl## ACL Selector.#### Variables:## - %u: username## - %c: clientidauth.mongo.aclquery.selector = username=%u
MongoDB 数据库
use mqttdb.createCollection("mqtt_user")db.createCollection("mqtt_acl")db.mqtt_user.ensureIndex({"username":1})
Tip
数据库、集合名称可自定义
MongoDB 用户集合示例
{username: "user",password: "password hash",is_superuser: boolean (true, false),created: "datetime"}db.mqtt_user.insert({username: "test", password: "password hash", is_superuser: false})db.mqtt_user:insert({username: "root", is_superuser: true})
MongoDB ACL 集合示例
{username: "username",clientid: "clientid",publish: ["topic1", "topic2", ...],subscribe: ["subtop1", "subtop2", ...],pubsub: ["topic/#", "topic1", ...]}db.mqtt_acl.insert({username: "test", publish: ["t/1", "t/2"], subscribe: ["user/%u", "client/%c"]})db.mqtt_acl.insert({username: "admin", pubsub: ["#"]})
加载 MognoDB 认证插件
./bin/emqx_ctl plugins load emqx_auth_mongo
JWT 认证插件配置
配置 JWT 认证
## HMAC hash secretauth.jwt.secret = emqxsecret## 配置 JWT 字符串从何处获取auth.jwt.from = password## RSA or ECDSA 公钥文件## auth.jwt.pubkey = /etc/certs/jwt_public_key.pem## 是否验证 claims 字段auth.jwt.verify_claims = off## 要验证的 claims 清单## auth.jwt.verify_claims.username = %u
