Using File RBAC and Enterprise security extension together

Sometimes it is necessary to use different security extensions for different listeners. For example, when you were using File RBAC (open source) security extension and then upgraded to Enterprise Security extension.

HiveMQ supports using the File RBAC extension for one listener and the Enterprise Security Extension for another listener. However, it is important, that the extension priority of the File RBAC extension is higher than the priority of the ESE.

The priority setting in the hivemq-extension.xml file determines the order in which HiveMQ executes extension callbacks. The extension with the lowest priority executes last.

Learn more about Extension's Priorities.

 Instructions

  1. Configure different listeners in the broker’s config.xml, one for the File RBAC and one for the ESE

    <hivemq> <listeners> <tcp-listener> <name>file-rbac-listener</name> <port>1883</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> <tcp-listener> <name>ese-listener</name> <port>1884</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> </listeners> ...
  2. Enable security extensions and make sure to disable the Allow All Extension.
    Disable the Allow All Extension:

    touch extensions/hivemq-allow-all-extension/DISABLED

    Enable File RBAC and Enterprise Security extensions:

    rm extensions/hivemq-file-rbac-extension/DISABLED rm extensions/hivemq-enterprise-security-extension/DISABLED
  3. Update Enterprise Security Extension’s priority so that File RBAC Extension’s priority is higher.
    hivemq-enterprise-security-extension/hivemq-extension.xml:

    hivemq-file-rbac-extension/hivemq-extension.xml:

  4. Configure the file-rbac-extension for the file-rbac-listener.
    hivemq-file-rbac-extension/extension-config.xml

  5. Configure the Enterprise Security Extension for the tcp-listener-1884.
    hivemq-enterprise-security-extension/conf/enterprise-security-extension.xml

     

  6. To test, it is helpful to have the broker’s log level DEBUG:

  7. Start the broker

  8. Test your configuration.

    1. Start the MQTT-CLI command line client in the Shell mode:

    2. Connect to port 1883, which should authenticate and authorize via File RBAC Extension:

      If the client is connected, it indicates it is authenticated and authorized. Otherwise, the client will receive a NOT_AUTHORIZED error message.

    3. Connect to port 1884, which should authenticate and authorize via File RBAC Extension

      The broker’s output will be logged (if the log level is DEBUG) to the $HIVEMQ_HOME/log/hivemq.log.
      Client’s permissions will be logged to the $HIVEMQ_HOME/log/access/access.log.

For maximal verbose information about all incoming and outgoing MQTT messages and all their attributes, install MQTT Message Log Extension: HiveMQ Extension - MQTT Message Log

Do not enable MQTT Message Log Extension in production, as it produces a huge amount of output and logs that can consume all free disk space very quickly.

 Related articles