/
Using File RBAC and Enterprise security extension together

Using File RBAC and Enterprise security extension together

Owned by Daria Samkova, created
Last updated: May 04, 2023
2 min read

Sometimes it is necessary to use different security extensions for different listeners. For example, when you were using File RBAC (open source) security extension and then upgraded to Enterprise Security extension.

HiveMQ supports using the File RBAC extension for one listener and the Enterprise Security Extension for another listener. However, it is important, that the extension priority of the File RBAC extension is higher than the priority of the ESE.

The priority setting in the hivemq-extension.xml file determines the order in which HiveMQ executes extension callbacks. The extension with the lowest priority executes last.

Learn more about Extension's Priorities.

 Instructions

  1. Configure different listeners in the broker’s config.xml, one for the File RBAC and one for the ESE

    <hivemq> <listeners> <tcp-listener> <name>file-rbac-listener</name> <port>1883</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> <tcp-listener> <name>ese-listener</name> <port>1884</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> </listeners> ...

  2. Enable security extensions and make sure to disable the Allow All Extension.
    Disable the Allow All Extension:

    touch extensions/hivemq-allow-all-extension/DISABLED

    Enable File RBAC and Enterprise Security extensions:

    rm extensions/hivemq-file-rbac-extension/DISABLED rm extensions/hivemq-enterprise-security-extension/DISABLED

  3. Update Enterprise Security Extension’s priority so that File RBAC Extension’s priority is higher.
    hivemq-enterprise-security-extension/hivemq-extension.xml:

    <?xml version="1.0" encoding="UTF-8" ?> <hivemq-extension> <id>hivemq-enterprise-security-extension</id> <version>4.9.2</version> <name>HiveMQ Enterprise Security Extension</name> <author>HiveMQ</author> <priority>1000</priority> <start-priority>1000</start-priority> </hivemq-extension>

    hivemq-file-rbac-extension/hivemq-extension.xml:

    <?xml version="1.0" encoding="UTF-8" ?> <hivemq-extension> <id>hivemq-file-rbac-extension</id> <version>4.5.3</version> <name>HiveMQ File Role-Based Access Control Extension</name> <author>HiveMQ</author> <priority>1001</priority> <start-priority>10000</start-priority> </hivemq-extension>

  4. Configure the file-rbac-extension for the file-rbac-listener.
    hivemq-file-rbac-extension/extension-config.xml

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <extension-configuration> <credentials-reload-interval>60</credentials-reload-interval> <listener-names> <listener-name>file-rbac-listener</listener-name> </listener-names> <password-type>HASHED</password-type> </extension-configuration>

  5. Configure the Enterprise Security Extension for the tcp-listener-1884.
    hivemq-enterprise-security-extension/conf/enterprise-security-extension.xml

    <?xml version="1.0" encoding="UTF-8" ?> <enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="enterprise-security-extension.xsd" version="1"> <pipelines> <listener-pipeline listener="ese-listener"> <authentication-preprocessors> <!-- Print debug message --> <logging-preprocessor> <message>----------- This is ese-listener -----------</message> <level>debug</level> <name>com.example.logger</name> </logging-preprocessor> </authentication-preprocessors> <!-- Authenticate all connections --> <allow-all-authentication-manager/> <!-- Authorize all connections --> <allow-all-authorization-manager/> </listener-pipeline> </pipelines> </enterprise-security-extension>

     

  6. To test, it is helpful to have the broker’s log level DEBUG:

    cd $HIVEMQ_HOME cp conf/examples/logging/debug/logback.xml conf/logback.xml

  7. Start the broker

    export HIVEMQ_HOME=my/path/to/hivemq $HIVEMQ_HOME/bin/run.sh

  8. Test your configuration.

    1. Start the MQTT-CLI command line client in the Shell mode:

      $HIVEMQ_HOME/tools/mqtt-cli/bin

    2. Connect to port 1883, which should authenticate and authorize via File RBAC Extension:

      mqtt> connect --port 1883 --identifier MyClientToFileRBAC --user user1 --password pass1

      If the client is connected, it indicates it is authenticated and authorized. Otherwise, the client will receive a NOT_AUTHORIZED error message.

    3. Connect to port 1884, which should authenticate and authorize via File RBAC Extension

      mqtt> connect --port 1884 --identifier MyClientToESE --user user1 --password pass1

      The broker’s output will be logged (if the log level is DEBUG) to the $HIVEMQ_HOME/log/hivemq.log.
      Client’s permissions will be logged to the $HIVEMQ_HOME/log/access/access.log.

For maximal verbose information about all incoming and outgoing MQTT messages and all their attributes, install MQTT Message Log Extension: https://www.hivemq.com/extension/mqtt-message-log-extension/

Do not enable MQTT Message Log Extension in production, as it produces a huge amount of output and logs that can consume all free disk space very quickly.

 Related articles

Related content