Using File RBAC and Enterprise security extension together

Sometimes it is necessary to use different security extensions for different listeners. For example, when you were using File RBAC (open source) security extension and then upgraded to Enterprise Security extension.

HiveMQ supports using the File RBAC extension for one listener and the Enterprise Security Extension for another listener. However, it is important, that the extension priority of the File RBAC extension is higher than the priority of the ESE.

The priority setting in the hivemq-extension.xml file determines the order in which HiveMQ executes extension callbacks. The extension with the lowest priority executes last.

Documentation.

\uD83D\uDCD8 Instructions

1. Configure different listeners in the broker’s config.xml, one for the FRBAC and one for the ESE

   <hivemq>
   
       <listeners>
           <tcp-listener>
               <port>1883</port>
               <bind-address>0.0.0.0</bind-address>
           </tcp-listener>
           <tcp-listener>
               <port>1884</port>
               <bind-address>0.0.0.0</bind-address>
           </tcp-listener>
       </listeners>
   ...

2. Enable security extensions and make sure to disable the allow-all-extension:

   #disable
   touch extensions/hivemq-allow-all-extension/DISABLED
   #enable
   rm extensions/hivemq-file-rbac-extension/DISABLED
   rm extensions/hivemq-enterprise-security-extension/DISABLED

3. Update security extension priority so that file-rbac-extension’s priority is higher than enterprise-security-extension’s.
   hivemq-enterprise-security-extension/hivemq-extension.xml:

   <?xml version="1.0" encoding="UTF-8" ?>
   <hivemq-extension>
       <id>hivemq-enterprise-security-extension</id>
       <version>4.9.2</version>
       <name>HiveMQ Enterprise Security Extension</name>
       <author>HiveMQ</author>
       <priority>1000</priority>
       <start-priority>1000</start-priority>
   </hivemq-extension>

   hivemq-file-rbac-extension/hivemq-extension.xml:

   <?xml version="1.0" encoding="UTF-8" ?>
   <hivemq-extension>
       <id>hivemq-file-rbac-extension</id>
       <version>4.5.3</version>
       <name>HiveMQ File Role Based Access Control Extension</name>
       <author>HiveMQ</author>
       <priority>1001</priority>
       <start-priority>10000</start-priority>
   </hivemq-extension>

4. Configure the file-rbac-extension for the tcp-listener-1883.
   hivemq-file-rbac-extension/extension-config.xml

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <extension-configuration>
       <credentials-reload-interval>60</credentials-reload-interval>
   
       <listener-names>
           <listener-name>tcp-listener-1883</listener-name>
       </listener-names>
   
       <password-type>HASHED</password-type>
   </extension-configuration>

5. Configure the enterprise-security-extension for the tcp-listener-1884.
   hivemq-enterprise-security-extension/conf/enterprise-security-extension.xml

   <?xml version="1.0" encoding="UTF-8" ?>
   <enterprise-security-extension
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:noNamespaceSchemaLocation="enterprise-security-extension.xsd"
           version="1">
   
       <pipelines>
   
           <listener-pipeline listener="tcp-listener-1884">
               <authentication-preprocessors>
                   <logging-preprocessor>
                       <message>----------- listener-pipeline "tcp-listener-1884"---------------------</message>
                       <level>debug</level>
                       <name>com.example.logger</name>
                   </logging-preprocessor>
               </authentication-preprocessors>
               <allow-all-authentication-manager/>
               <allow-all-authorization-manager/>
           </listener-pipeline>
          
       </pipelines>
   </enterprise-security-extension>

6. To test, it is convenient to have the broker’s log level DEBUG:

   cd $HIVEMQ_HOME
   cp conf/examples/logging/debug/logback.xml conf/logback.xml

7. Start the broker

   export HIVEMQ_HOME=my/path/to/hivemq
   $HIVEMQ_HOME/bin/run.sh

8. and test your configuration.

   1. To start the MQTT-CLI in the Shell mode:

      $HIVEMQ_HOME/tools/mqtt-cli/bin

   2. To connect to the listener 1883, authenticate and authorize via the file-rbac-extension, specify --port 1883 and credentials --username, --password.

      mqtt> connect --port 1883 --identifier client1883 \
        --user user1 --password pass1

      If the client is connected, it indicates it is authenticated and authorized. Otherwise, the client will output NOT_AUTHORIZED error message.

   3. To connect to the listener 1884

      mqtt> connect --port 1884 --identifier client1884

      Broker’s output will be logged (if the log level is DEBUG) to the $HIVEMQ_HOME/log/hivemq.log.
      Client’s permissions will be logged to the $HIVEMQ_HOME/log/access/access.log.

\uD83D\uDCCB Related articles

• Page:
  Upload file to the customer support portal
• Page:
  Override the Default logback.xml with the HiveMQ Platform Operator
• Page:
  Configuring HiveMQ Security Extension with Active Directory for MQTT Client Authentication and Authorization
• Page:
  How to access MQTT, Websocket ports using TransportServer/VirtualServer resource with nginx ingress controller
• Page:
  How to configure ESE to authenticate clients using client certificates and authorize using postgresSQL(without username/password)