Page Comparison

Sometimes it is necessary to use different security extensions for different listeners. For example, when you were using File RBAC (open source) security extension and then upgraded to Enterprise Security extension.

...

The priority setting in the hivemq-extension.xml file determines the order in which HiveMQ executes extension callbacks. The extension with the lowest priority executes last.

DocumentationLearn more about Extension's Priorities.

\uD83D\uDCD8 Instructions

...

1. Configure different listeners in the broker’s config.xml, one for the FRBAC File RBAC and one for the ESE

   Code Block
   language xml
   <hivemq> <listeners> <tcp-listener> <name>file-rbac-listener</name> <port>1883</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> <tcp-listener> <name>ese-listener</name> <port>1884</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> </listeners> ...

2. Enable security extensions and make sure to disable the allow-all-extensionAllow All Extension.
   Disable the Allow All Extension:

   Code Block
   language bash
   #disable touch extensions/hivemq-allow-all-extension/DISABLED #enable

   Enable File RBAC and Enterprise Security extensions:

   Code Block
   language bash
   rm extensions/hivemq-file-rbac-extension/DISABLED rm extensions/hivemq-enterprise-security-extension/DISABLED

3. Update security extension Enterprise Security Extension’s priority so that file-rbac-extension’s File RBAC Extension’s priority is higher than enterprise-security-extension’s.
   hivemq-enterprise-security-extension/hivemq-extension.xml:

   Code Block
   language xml
   <?xml version="1.0" encoding="UTF-8" ?> <hivemq-extension> <id>hivemq-enterprise-security-extension</id> <version>4.9.2</version> <name>HiveMQ Enterprise Security Extension</name> <author>HiveMQ</author> <priority>1000</priority> <start-priority>1000</start-priority> </hivemq-extension>

   hivemq-file-rbac-extension/hivemq-extension.xml:

   Code Block
   language xml
   <?xml version="1.0" encoding="UTF-8" ?> <hivemq-extension> <id>hivemq-file-rbac-extension</id> <version>4.5.3</version> <name>HiveMQ File Role -Based Access Control Extension</name> <author>HiveMQ</author> <priority>1001</priority> <start-priority>10000</start-priority> </hivemq-extension>

4. Configure the file-rbac-extension for the tcpfile-rbac-listener-1883.
   hivemq-file-rbac-extension/extension-config.xml

   Code Block
   language xml
   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <extension-configuration> <credentials-reload-interval>60</credentials-reload-interval> <listener-names> <listener-name>tcpname>file-listenerrbac-1883<listener</listener-name> </listener-names> <password-type>HASHED</password-type> </extension-configuration>

5. Configure the enterprise-security-extension Enterprise Security Extension for the tcp-listener-1884.
   hivemq-enterprise-security-extension/conf/enterprise-security-extension.xml

   Code Block
   language xml
   <?xml version="1.0" encoding="UTF-8" ?> <enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="enterprise-security-extension.xsd" version="1"> <pipelines> <listener-pipeline listener="tcpese-listener-1884"> <authentication-preprocessors> <!-- Print debug message --> <logging-preprocessor> <message>----------- listener-pipeline "tcp-listener-1884"This is ese-listener ---------------------</message> <level>debug</level> <name>com.example.logger</name> </logging-preprocessor> </authentication-preprocessors> <!-- Authenticate all connections --> <allow-all-authentication-manager/> <!-- Authorize all connections --> <allow-all-authorization-manager/> </listener-pipeline> </pipelines> </pipelines> </enterprise-security-extension>

6. To test, it is convenient helpful to have the broker’s log level DEBUG:

   Code Block
   language bash
   cd $HIVEMQ_HOME cp conf/examples/logging/debug/logback.xml conf/logback.xml

7. Start the broker

   Code Block
   language bash
   export HIVEMQ_HOME=my/path/to/hivemq $HIVEMQ_HOME/bin/run.sh

8. and test Test your configuration.

   1. To start Start the MQTT-CLI command line client in the Shell mode:

      Code Block
      language bash
      $HIVEMQ_HOME/tools/mqtt-cli/bin

   2. To connect Connect to the listener port 1883, which should authenticate and authorize via the file-rbac-extension, specify --port 1883 and credentials --username, --password.File RBAC Extension:

      Code Block
      language bash
      mqtt> connect --port 1883 --identifier client1883MyClientToFileRBAC \ --user user1 --password pass1

      If the client is connected, it indicates it is authenticated and authorized. Otherwise, the client will output receive a NOT_AUTHORIZED error message.

   3. To connect Connect to the listener 1884port 1884, which should authenticate and authorize via File RBAC Extension

      Code Block
      language bash
      mqtt> connect --port 1884 --identifier client1884

      Broker’s

      MyClientToESE --user user1 --password pass1

      The broker’s output will be logged (if the log level is DEBUG) to the $HIVEMQ_HOME/log/hivemq.log.
      Client’s permissions will be logged to the $HIVEMQ_HOME/log/access/access.log.

...