mqtt security & acl in depth for mosquitto
TRANSCRIPT
MQTT Security & ACLIn-Depth for Mosquitto
Eric HankinsonSoftware/Embedded/DevOps
#AboutEric• Member of LeanDog’s Design & Delivery Studio• 18 years in IT - Sys Admin, Programming & Embedded• XP in Automotive, Banking, Finance, E-Learning, and
many others industries• Spare time learning is Electrical & Mechanical
Engineering. Why? Robots!• Twitter: @kumichou Blog: erichankinson.com
The Thing
The Problem Domain• Give students experience building an IoT
“device” with Mobile, Web & Infrastructure too!• Authenticate Users & Devices• Authorize Topic Pub/Sub from Users &
Devices• Single source of truth for user accounts
The Parts…• Web App• Mobile App• Lampi device• Multiple Mosquitto Brokers• Multiple MQTT Client Services
Django Web App• Host web interface for controlling devices• Manage authentication & authorization of
Users and Devices
Mosquitto MQTT Brokers• Brokers in both the Cloud & on each
device• Cloud broker has the CRL• Cloud broker serves up MQTT traffic over
Web Sockets• Device broker manages multi-client traffic
mosquitto auth plug• Provides a multi-provider backed way to
provide Authentication & Authorization of MQTT messaging
Auth Calls from Mosquitto• REST calls from Mosquitto Auth Plug have
to be answered with HTTP Response Code of 200 or 403
#lolwhut
Bridging the Brokers
Using TLS for Authentication• Using internal CA to generate Certs for
each broker• Must have common Root CA• Cert must not appear in CRL• Configuration can be confusing the first
time…
TLS Endpoint on the Cloud
Lampi Broker Connection• Now Lampi needs to be able to Authenticate
itself via TLS certificate chain• Mosquitto checks you at the door, no valid TLS
cert, no entry!• Used the MAC Address of Lampi as the
Common Name in the TLS Cert. Helpful later• OpenSSL errors are so not helpful…
Lampi TLS Bridge to Cloud
Configuring the Auth plug
Django App Routing• Some routes were configured to only
answer on loopback device• This could be done in Nginx (web server)
or via Python code
Auth plug Configuration
What about Web Sockets?
Mosquitto Web Sockets
Why Reuse the Mosquitto Cert?• It was for convenience• LetsEncrypt wasn’t ready yet• Use the same TLS Cert for Nginx Web
proxy with Web Sockets configuration
Web Sockets Authentication• We needed a simple way to identify a
Django user through the Mosquito connection
• Settled on using the Django Auth Token UUID as the username for the Auth & Pub/Sub calls
Auth Calls from Mosquitto• REST calls from Mosquitto Auth Plug have
to be answered with HTTP Response Code of 200 or 403
Django Auth Responses• Leveraged model of User to Device to
determine if a User had specific access to Pub/Sub specific topics for their devices only
• Mosquitto only does ACL check(s) when a message is published, not on initial client connection!
Just scratching the surface!
Debugging Headache
ERIC HANKINSON@kumichou erichankinson.com leandog.com