mod-auth-xml Authentication and Acls plugin supported on XML files for MyQttd broker


Introduction to mod-auth-xml

Authentication support for MyQttD is delegated to auth backends that are registered at run-time via myqttd_users_register_backend

This module provides an authentication backend supported through xml-files. Its function is pretty simple. The module expects to find a configuration file users.xml inside the users-db directive associated to the domain that is being checked for activation/authentication.

Enabling mod-auth-xml

Don't forget to enable the module by running something like:

>> ln -s /etc/myqtt/mods-available/mod-auth-xml.xml /etc/myqtt/mods-enabled/mod-auth-xml.xml
>> service myqtt restart

Configuring mod-auth-xml

Let's suppose we have the following declaration inside your MyQttD configuration, located at the myqtt-domains section:

   <!--  simple declaration for a domain with a set of users
         (users-db) and where it is storing messages in transit
         (storage)  -->
   <domain use-settings="basic" 
           name="" />
   <!--  more domains declared  -->

Ok, assuming this configuration, inside the following directory /var/lib/myqtt-dbs/ you have to place a file called users.xml, hence a full path of:

Inside this directory, you have to follow the next example to declare users:

<myqtt-users password-format="plain" >
   <user id="test_01" />
   <user id="test_04" />
   <user password="differentpass" 
         id="test_02" />
   <user password="differentpass" 
         id="another-id-03" />

As you can see, you can declare allowed users following the next format:

It is very important to understand that you can configure just client-id by using the id declaration, or client-id + username + password. If you just configure username + password it will not work.

There is a declaration for password-format in the header:

This attr allows to configure the format expected for the password. Allowed values are:

It is possible to use same database for different domains.

Configuring anonymous login

mod-auth-xml also allows configure a MyQttd domain to work with anoymous login/connection scheme. Note that enabling this option will make the domain configured as such to "catch" all connections reached to this domain.

To configure anonymous support create a users.xml with the following format:

<myqtt-users anonymous="yes" />

Note that enabling this option will accept any connection reaching this domain no matter if it provides a user/password or not.

Configuring global acls for all users inside your domain

mod-auth-xml includes support to configure global acls and user level acls. Here is how it is declared a basic global acl configuration inside the users.xml file (see <global-acls> section):

<myqtt-users password-format="plain" >
   <!--  no-match-policy : close | discard | deny |  allow | ok  -->
   <!--  deny-action : close | discard | deny | allow | ok  -->
   <!--  when-to-apply : before | after  -->
   <global-acls when-to-apply="before" 
                no-match-policy="close" >
      <!--  mode : r rw r,w publish publish,subscribe, publish0, publish1, publish2  -->
      <acl mode="rw" topic="myqtt/allowed/topic" />
      <acl mode="rw" topic="myqtt/allowed/topic2" />
   <user id="test_05" />
   <user id="test_06" />
   <user id="" />
   <user id="" />

As you can see, there is a new <global-acls> section that includes different configurations and a list of acls that are applied one after another, with the following indications:

Here is the list of actions:

Then, either inside a <global-acls> or inside <user> —according to where you want the acl to be applied— you declare the <acl> node with the following attributes: