Skip to content

Latest commit

 

History

History
74 lines (54 loc) · 3.6 KB

README.md

File metadata and controls

74 lines (54 loc) · 3.6 KB

Mosquitto Identity Plugin

ci codecov

In a IoT platform one of the most important thing is to ensure that each device can access only the resources that the device is allowed to access. It's important because on the IoT platform we don't know where our devices are and who has them. So the basic security principle to reduce as much as we can the access to our platform is extremely importante for IoT. With this in mind this plugin allow us to overwrite the Basic Connection Authentication and create an ACL for the Mosquitto Broker using an identity server to ensure the security. Each user will have a group of Permissions called Roles and these permissions will granted or deny the access for each topic, with that we can managed the publish and the subscription for each topic.

OBS: The plugin was built using the Auth0, but we thing it will work perfectly with other identity provider, for example: keycloak

Table of content

Mosquitto Plugin

The Mosquitto broker give us a external API to build a custom plugin. This API is exposed in the mosquitto_plugin.h.

Broker Startup

When the broker start to running, the broker will check if there is some plugin configured and if was the broker will check for the methods implemented by the plugin.

In the broker startup, the broker will call tree methods: mosquitto_auth_plugin_version, mosquitto_auth_plugin_init and mosquitto_auth_security_init

Mosquitto Basic Auth Workflow

The basic authentication API can be used only by implementing the method mosquitto_auth_unpwd_check.

If the mosquitto_auth_unpwd_check was implemented, each connection that come to the broker, the broker will call the method mosquitto_auth_unpwd_check.

If the method returns MOSQ_ERR_SUCCESS = 0 the broker will allow the client to connect. If returns anything > 0 the broker will deny the connection;

Mosquitto ACL Workflow

For the Access Controller Layer, different for the basic auth, we will need to implement some methods and the broker will call each method following the diagram bellow:

Requirements:

  • Docker CE
  • Rust LTS
asdf plugin-add rust https://github.com/code-lever/asdf-rust.git \
&& asdf install rust latest \
&& asdf global rust latest
  • LLVM, CLang
sudo apt install llvm-dev libclang-dev clang
  • Mosquitto, Mosquitto SDK
sudo apt install mosquitto-dev libmosquitto-dev

Run the example

  • If all of the requirements was accomplish use the Makefile docker command to run the example
make docker 

Referencies: