mosquitto - 未经授权禁用订阅

时间:2016-12-12 07:30:14

标签: acl mqtt mosquitto

我正在使用带有tls-certificate的mosquitto版本1.4.10。我正在使用这个插件https://github.com/mbachry/mosquitto_pyauth来授权用户。它适用于mosquitto_pub(例如,当有人试图发布时,它首先得到模块的授权)。

然而,似乎mosquitto_sub能够在没有授权的情况下订阅任何内容。当有人试图以只读模式访问主题时,如何强制安全?

我浏览了mosquitto.conf文件,似乎无法找到与此相关的任何内容。

例如,我可以这样订阅:

mosquitto_sub --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/client.crt --key /etc/mosquitto/client.key -h ubuntu -p 1883 -t c/# -d

能够看到来自某个发布商的消息,如下所示:

mosquitto_pub --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/client.crt --key /etc/mosquitto/client.key -h ubuntu -p 1883 -t c/2/b/3/p/3/rt/13/r/123 -m 32 -q 1

我要做的是阻止mosquitto_sub在未经授权的情况下在根级别读取所有消息。

执行授权的python代码如下所示:( auth数据存储在cassandra db中)

import sys
import mosquitto_auth

from cassandra.cluster import Cluster
from cassandra import ConsistencyLevel


## program entry point from mosquitto...
def plugin_init(opts):
    global cluster, session, select_device_query
    conf = dict(opts)
    cluster = Cluster(['192.168.56.102'])
    session = cluster.connect('hub')
    select_device_query = session.prepare('SELECT * from devices where uid=?')
    select_device_query.consistency_level = ConsistencyLevel.QUORUM
    print 'Cassandra cluster initialized'


def acl_check(clientid, username, topic, access):

    device_data = session.execute(select_device_query, [username])

    if device_data.current_rows.__len__() > 0:
        device_data = device_data[0]
        # sample device data looks like this :
        # Row(uid=u'08:00:27:aa:8f:91', brand=3, company=2, device=15617, property=3, room=490, room_number=u'3511', room_type=13, stamp=datetime.datetime(2016, 12, 12, 6, 29, 54, 723000))
        subscribable_topic = 'c/' + str(device_data.company) \
                             + '/b/' + str(device_data.brand) \
                             + '/p/' + str(device_data.property) \
                             + '/rt/' + str(device_data.room_type) \
                             + '/r/' + str(device_data.room) \
                             + '/#'

        matches = mosquitto_auth.topic_matches_sub(subscribable_topic, topic)
        print 'ACL: user=%s topic=%s, matches = %s' % (username, topic, matches)
        return matches

    return False
当mosquitto_pub尝试连接时,

函数acl_check似乎总是被调用,但是当mosquitto_sub连接时从未调用过。 这个python模块背后的C代码在这里:https://github.com/mbachry/mosquitto_pyauth/blob/master/auth_plugin_pyauth.c

1 个答案:

答案 0 :(得分:0)

将以下内容添加到mosquitto.conf 

...
allow_anonymous false
...

这将阻止没有凭据的用户登录代理。

如果您希望未经身份验证的客户端能够查看某些主题,您还可以为anonymous用户添加acl规则。

相关问题
最新问题