What authentication methods does EMQ X support?

News 2023-08-26 03:47:28 views: null

Authentication in EMQ X refers to controlling the permission of the client to connect to the server through the server-side configuration when a client connects to EMQ X.

EMQ X's certification support includes two levels:

The MQTT protocol itself specifies the user name and password in the CONNECT message. EMQ X supports various forms of authentication based on Username, ClientID, HTTP, JWT, LDAP and various databases such as MongoDB, MySQL, PostgreSQL, Redis, etc. in the form of plug-ins.

At the transport layer, TLS guarantees client-to-server authentication using client certificates, and ensures that the server verifies the server certificate to the client. PSK-based TLS/DTLS authentication is also supported.

verification method

EMQ X supports the use of built-in data sources (files, built-in databases), JWT, external mainstream databases and custom HTTP APIs as authentication data sources.

Connecting to data sources and performing authentication logic are implemented through plug-ins. Each plug-in corresponds to an authentication method, and the corresponding plug-in needs to be enabled before use.

When the client connects, the plug-in authenticates the client by checking whether its username/clientid and password are consistent with the information of the specified data source.

Authentication methods supported by EMQ X:

built-in data source

Username Authentication

Client ID Authentication

Use configuration files and EMQ X's built-in database to provide authentication data sources, and manage through HTTP API, which is simple and lightweight enough.

external database

LDAP authentication

MySQL certification

PostgreSQL certification

Redis authentication

MongoDB certification

The external database can store a large amount of data, and at the same time facilitates the integration with the external equipment management system.

other

HTTP authentication

JWT authentication

JWT authentication can issue authentication information in batches, and HTTP authentication can implement complex authentication and authentication logic.

After changing the plug-in configuration, you need to restart the plug-in to take effect. Some authentication plug-ins include ACL function

Certification result

Any authentication method will eventually return a result:

Authentication successful: After comparing the client authentication is successful

Authentication failed: After comparing the client authentication failed, the password in the data source is inconsistent with the current password

Ignore authentication (ignore): no authentication data is found in the current authentication method, and it is impossible to explicitly judge whether the result is success or failure.

anonymous authentication

Anonymous authentication is enabled in the default configuration of EMQ X, and any client can access EMQ X. When the authentication plug-in is not enabled or the authentication plug-in does not explicitly allow/deny (ignore) the connection request, EMQ X will decide whether to allow the client to connect according to the enabling of anonymous authentication.

Configure the anonymous authentication switch:

# etc/emqx.conf
## Value: true | false
allow_anonymous = true

Please disable anonymous authentication in the production environment.

Note: We need to enter the container to modify the configuration, and then restart the EMQ X service.

# etc/plugins/emqx_auth_mysql.conf

## 不加盐,仅做哈希处理
auth.mysql.password_hash = sha256

## salt 前缀:使用 sha256 加密 salt + 密码 拼接的字符串
auth.mysql.password_hash = salt,sha256

## salt 后缀:使用 sha256 加密 密码 + salt 拼接的字符串
auth.mysql.password_hash = sha256,salt

## pbkdf2 with macfun iterations dklen
## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
## auth.mysql.password_hash = pbkdf2,sha256,1000,20

How to generate authentication information

  1. For each client, divide the user name, Client ID, password, and salt (salt) and other information.

  2. Use the same salting rules and hashing methods as MySQL authentication to process client information to obtain ciphertext.

  3. Write the client information into the database, and the client password should be ciphertext information.

Guess you like

Origin blog.csdn.net/cz_00001/article/details/132474213
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com