Identity authentication is an important part of most applications. Authentication in EMQ X refers to when a client connects to EMQ X, it controls the permission of the client to connect to the server through server-side configuration.
EMQ X's certification support includes two levels:
• The MQTT protocol itself specifies the user name and password in the CONNECT message, and EMQ X supports the user name and password based on Username,
ClientID, HTTP, JWT, LDAP and various databases such as MongoDB, MySQL, PostgreSQL, Redis and other forms of authentication.
• At the transport layer, TLS ensures client-to-server authentication using client certificates and ensures that the server verifies the server certificate to the client. PSK-based TLS/DTLS authentication is also supported.
verification method
EMQ X supports the use of built-in data sources (files, built-in databases), JWT, external mainstream databases and custom HTTP APIs as authentication data sources.
Connecting to data sources and performing authentication logic are implemented through plug-ins. Each plug-in corresponds to an authentication method, and the corresponding plug-in needs to be enabled before use. When the client connects, the plug-in authenticates the client by checking whether its username/clientid and password are consistent with the information of the specified data source.
Authentication methods supported by EMQ X:
built-in data source
• Username Authentication
• Client ID Authentication
Use configuration files and EMQ X's built-in database to provide authentication data sources, and manage through HTTP API, which is simple and lightweight enough.
external database
• LDAP authentication
• MySQL certification
• PostgreSQL certification
• Redis authentication
• MongoDB certification
The external database can store a large amount of data, and at the same time facilitates the integration with the external equipment management system.
other
• HTTP authentication
• JWT authentication
JWT authentication can issue authentication information in batches, and HTTP authentication can implement complex authentication logic. After changing the plug-in configuration, you need to restart the plug-in to take effect. Some authentication plug-ins include ACL function
Certification result
Any authentication method will eventually return a result:
Authentication successful: After comparing the client authentication is successful
Authentication failed: After comparing the client authentication failed, the password in the data source is inconsistent with the current password Ignore authentication (ignore): No authentication data is found in the current authentication method, and it is impossible to explicitly judge whether the result is successful or failed, and it is handed over to the authentication chain An authentication method or anonymous authentication to determine
anonymous authentication
Anonymous authentication is enabled in the default configuration of EMQ X, and any client can access EMQ X. When the authentication plug-in is not enabled or the authentication plug-in does not explicitly allow/deny (ignore) the connection request, EMQ X will decide whether to allow the client to connect according to the enabling of anonymous authentication.
Configure the anonymous authentication switch:
# etc/emqx.conf
## Value: true | false
allow_anonymous = truePlease disable anonymous authentication in the production environment.
Note: We need to enter the container to modify the configuration, and then restart the EMQ X service
Password salting rules and hashing methods
The hash method can be enabled in most authentication plug-ins of EMQ X, and only the password ciphertext is saved in the data source to ensure data security.
When the hashing method is enabled, the user can specify a salt (salt) for each client and configure salting rules, and the passwords stored in the database are ciphertexts processed according to the salting rules and hashing method.
Take MySQL authentication as an example:
Salt rule and hash method configuration:
# etc/plugins/emqx_auth_mysql.conf
## 不加盐,仅做哈希处理
auth.mysql.password_hash = sha256
## salt 前缀:使用 sha256 加密 salt + 密码 拼接的字符串
auth.mysql.password_hash = salt,sha256
## salt 后缀:使用 sha256 加密 密码 + salt 拼接的字符串
auth.mysql.password_hash = sha256,salt
## pbkdf2 with macfun iterations dklen
## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
## auth.mysql.password_hash = pbkdf2,sha256,1000,20When generating authentication information
1. For each client, divide the user name, Client ID, password and salt (salt) and other information
2. Use the same salting rules and hashing methods as MySQL authentication to process client information to obtain ciphertext
3. Write the client information into the database, and the client password should be ciphertext information
EMQ X identity authentication process
1. According to the configured authentication SQL combined with the information passed in by the client, query authentication data such as password (ciphertext) and salt (salt), without query
Result, authentication will be terminated and ignore result will be returned
2. Calculate the ciphertext according to the configured salting rules and hashing method, and skip this step if the hashing method is not enabled
3. Compare the ciphertext stored in the database with the ciphertext calculated by the current client. If the comparison is successful, the authentication will pass, otherwise the authentication will fail. PostgreSQL authentication function logic diagram:
The authentication can only be performed normally when the salting rules and hashing methods of the written data are consistent with the configuration of the corresponding plug-in. Changing the hashing method invalidates existing authentication data.
certification chain
When multiple authentication methods are enabled at the same time, EMQ X will perform chain authentication in the order in which the plugins are opened:
Once the authentication is successful, the authentication chain is terminated and the client is allowed to access.
Once authentication fails, the authentication chain is terminated and client access is prohibited.
Until the last authentication method has not passed, according to the anonymous authentication and configuration:
When anonymous authentication is enabled, the client is allowed to access
When anonymous authentication is disabled, client access is prohibited
Enabling only one authentication plug-in at the same time can improve the efficiency of client authentication.