Using File RBAC and Enterprise security extension together
- Daria Samkova
Sometimes it is necessary to use different security extensions for different listeners. For example, when you were using File RBAC (open source) security extension and then upgraded to Enterprise Security extension.
HiveMQ supports using the File RBAC extension for one listener and the Enterprise Security Extension for another listener. However, it is important, that the extension priority of the File RBAC extension is higher than the priority of the ESE.
The
prioritysetting in thehivemq-extension.xmlfile determines the order in which HiveMQ executes extension callbacks. The extension with the lowest priority executes last.
Learn more about Extension's Priorities.
Instructions
Configure different listeners in the broker’s config.xml, one for the File RBAC and one for the ESE
<hivemq> <listeners> <tcp-listener> <name>file-rbac-listener</name> <port>1883</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> <tcp-listener> <name>ese-listener</name> <port>1884</port> <bind-address>0.0.0.0</bind-address> </tcp-listener> </listeners> ...Enable security extensions and make sure to disable the Allow All Extension.
Disable the Allow All Extension:touch extensions/hivemq-allow-all-extension/DISABLEDEnable File RBAC and Enterprise Security extensions:
rm extensions/hivemq-file-rbac-extension/DISABLED rm extensions/hivemq-enterprise-security-extension/DISABLEDUpdate Enterprise Security Extension’s priority so that File RBAC Extension’s priority is higher.
hivemq-enterprise-security-extension/hivemq-extension.xml:hivemq-file-rbac-extension/hivemq-extension.xml:
Configure the file-rbac-extension for the
file-rbac-listener.
hivemq-file-rbac-extension/extension-config.xmlConfigure the Enterprise Security Extension for the
tcp-listener-1884.
hivemq-enterprise-security-extension/conf/enterprise-security-extension.xmlTo test, it is helpful to have the broker’s log level
DEBUG:Start the broker
Test your configuration.
Start the MQTT-CLI command line client in the Shell mode:
Connect to port 1883, which should authenticate and authorize via File RBAC Extension:
If the client is connected, it indicates it is authenticated and authorized. Otherwise, the client will receive a
NOT_AUTHORIZEDerror message.Connect to port 1884, which should authenticate and authorize via File RBAC Extension
The broker’s output will be logged (if the log level is
DEBUG) to the$HIVEMQ_HOME/log/hivemq.log.
Client’s permissions will be logged to the$HIVEMQ_HOME/log/access/access.log.
For maximal verbose information about all incoming and outgoing MQTT messages and all their attributes, install MQTT Message Log Extension: https://www.hivemq.com/extension/mqtt-message-log-extension/
Do not enable MQTT Message Log Extension in production, as it produces a huge amount of output and logs that can consume all free disk space very quickly.