Redis

Redis authentication uses an external Redis database as the authentication data source, which can store a large amount of data and facilitate integration with external device management systems.

Plugin:

  1. emqx_auth_redis

TIP

The emqx_auth_redis lso includes ACL feature, which can be disabled via comments

To enable Redis authentication, you need to configure the following in etc/plugins/emqx_auth_redis.conf

Redis connection information

For Redis basic connection information, it needs to ensure that all nodes in the cluster can access.

  1. # etc/plugins/emqx_auth_redis.conf
  3. ## Server address
  4. auth.redis.server = 127.0.0.1:6379
  6. ## Connection pool size
  7. auth.redis.pool = 8
  9. auth.redis.database = 0
  11. auth.redis.password =

Default table structure

A hash table is used to store authentication data by default for Redis authentication, and mqtt_user: is used as the Redis key prefix. The data structure is as follows:

  1. redis> hgetall mqtt_user:emqx
  2.   password public
  3.   salt wivwiv

The sample data in the default configuration is as follows:

  1. HMSET mqtt_user:emqx password public salt wivwiv

After Redis authentication is enabled, you can connect with username: emqx, password: public.

TIP

This is the data structure used by default configuration. After being familiar with the use of the plugin, you can use any data structure that meets the conditions for authentication

Salting rules and hash methods

Redis authentication supports the configuration of salting rules and hash methods, and plaintext passwords are stored without processing by default:

  1. # etc/plugins/emqx_auth_redis.conf
  3. auth.redis.password_hash = plain

auth query cmd

During authentication, EMQX Broker will use the current client information to populate and execute the user-configured authentication query command to query the client’s authentication data in the Redis.

  1. # etc/plugins/emqx_auth_redis.conf
  3. auth.redis.auth_cmd = HMGET mqtt_user:%u password

You can use the following placeholders in the command, and EMQX Broker will be automatically populated with client information when executed:

  • %u:Username
  • %c:Client ID
  • %C:TLS certificate common name (the domain name or subdomain name of the certificate), valid only for TLS connections
  • %d:TLS certificate subject, valid only for TLS connections

You can adjust the authentication query command according to your business needs and use any Redis supported commandRedis - 图1 (opens new window). However, in any case, the authentication query command must meet the following conditions:

  1. The first data in the query result must be password. EMQX Broker will use this field to compare with the client password.
  2. If the salting configuration is enabled, the second data in the query result must be the salt field. EMQX Broker will use this field as the salt value.