MongoDB Authentication/ACL

MongoDB Authentication/ACL uses an external MongoDB database as a data source, which can store a large amount of data and at the same time integrate with external device management systems.

Install MongoDB

Open the MongoDB official website address: https://www.mongodb.com/try/download/community, select the version you need, here we use the macOS 4.4.1 version:

image-20200928112030369

Start MongoDB after installation

Create module

Open EMQX DashboardMongoDB AUTH/ACL - 图2 (opens new window), click the “Modules” tab on the left, and choose to add:

image-20200928161310952

Select MongoDB Authentication/ACL module

image-20200928114546350

Configure MongoDB related parameters

image-20211214110937457

After clicking Add, the module is added:

image-20200928133916267

Authentication Collection

  1. {
  2.   username: "user",
  3.   password: "password hash",
  4.   salt: "password salt",
  5.   is_superuser: false,
  6.   created: "2020-02-20 12:12:14"
  7. }

When performing identity authentication, EMQX will use the current client information to fill and execute the authentication Query configured by the user, and query the authentication data of the client in the database.

MongoDB supports the configuration of collection names, authentication fields, authentication placeholders and other parameters.

ConfigurationDescription
Authentication query collectionAuthentication query MongoDB collection
Authentication query field nameFields that need to be queried from the collection, if you need to query more than one, use commas to separate them. E.g. password, salt
Authentication condition fieldAuthentication query conditions, if you need to query more than one, use commas to separate them. For example username=%u,clientid=%c

You can use the following placeholders in the authentication query placeholders, and EMQX will automatically fill in the client information when executed:

-%u: username -%c: clientid -%C: TLS certificate common name (domain name or subdomain name of the certificate), valid only when TLS connection -%d: TLS certificate subject, valid only when TLS connection

You can adjust the authentication query according to your business needs, such as adding multiple query conditions and using database preprocessing functions to achieve more business-related functions. But in any case, the authentication query needs to meet the following conditions:

  1. The query result must contain the password field, which EMQX uses to compare with the client password
  2. If the salting configuration is enabled, the salt field must be included in the query result, and EMQX uses this field as the salt value
  3. MongoDB uses the findOne query command to ensure that the query results you expect can appear in the first data

TIP

This is the set structure used by the default configuration. After you are familiar with the use of the plug-in, you can use any set that meets the conditions for authentication.

Access Control Collection

  1. {
  2.     username: "username",
  3.     clientid: "clientid",
  4.     publish: ["topic1", "topic2", ...],
  5.     subscribe: ["subtop1", "subtop2", ...],
  6.     pubsub: ["topic/#", "topic1", ...]
  7. }

MongoDB ACL rules define publish, subscribe, and publish/subscribe information, and all the rules in the rules are allow lists.

Rule field description:

ConfigurationDescription
Access control query collectionAccess control query MongoDB collection
Access control query field nameField to be queried from the collection
Access control condition fieldAccess control query conditions, support and and or operations, and operations are separated by commas, for example: username=%u,clientid=%c, or operations need to add multiple data

Super User Query

When performing ACL authentication, EMQX will use the current client information to fill and execute the super user query configured by the user to check whether the client is a super user. When the client is a super user, ACL query will be skipped. Multiple conditions of the same selector use MongoDB and query in the actual query:

  1. db.mqtt_user.find({
  2.   "username": "wivwiv"
  3.   "clientid": "$all"
  4. })

You can use the following placeholders in the query conditions, and EMQX will automatically fill in the client information when executed:

-%u: username

-%c: clientid

You can adjust the super user query according to business needs, such as adding multiple query conditions and using database preprocessing functions to achieve more business-related functions. But in any case, the super user query needs to meet the following conditions: The query result must include the is_superuser field, and is_superuser should be explicitly true. MongoDB supports the configuration of collection names, authentication fields, authentication placeholders and other parameters.

ConfigurationDescription
Super User Query CollectionSuper User Query MongoDB Collection
Super user query field nameField to be queried from the collection
Super user condition fieldSuper user query conditions, if you need to query more than one, use commas to separate them. For example username=%u,clientid=%c

TIP

MongoDB ACL rules must strictly use the above data structure. All the rules added in MongoDB ACL are allowed rules and can be used with ʻacl_nomatch = denyin ʻetc/emqx.conf.

Encryption rules

  1. ## No salt, plain text
  2. plain
  4. ## No salt, only hash processing
  5. sha256
  7. ## salt prefix: use sha256 to encrypt salt + password concatenated string
  8. salt,sha256
  10. ## salt suffix: use sha256 encrypted password + salt spliced ​​string
  11. sha256,salt
  13. ## pbkdf2 with macfun iterations dklen
  14. ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
  15. pbkdf2,sha256,1000,20

TIP

Refer to: Salt rules and hash methodsMongoDB AUTH/ACL - 图7 (opens new window).