Useful HiveMQ Plugins: The File Authentication Plugin
This is part two of the blog series: Useful HiveMQ plugins, in which the most valuable HiveMQ plugins are introduced. In the first part the MQTT Access Log plugin, which logs all MQTT relevant actions on the broker, was explained. In case you missed it, check it out here.
Authentication of Clients in HiveMQ
In this post we will have a look into the HiveMQ - File Authentication Plugin. This is the first public available plugin, which enables HiveMQ to authenticate connecting clients. Authentication is an important issue in context of the sensible data which is used in M2M or IoT environments. Also the source of the credentials for authenticating a client can be different and could be a LDAP, a SQL database, a file, a webservice or something else, depending on the use case. Therefore the authentication (and also authorization, which is discussed in a later post) is not part of the HiveMQ core, but can be added easily by a plugin. This allows a very flexible way of authentication in HiveMQ. As already mentioned, the file authentication plugin is the first one, more plugins, which cover other general use cases are going to be released soon. Additionally we are going to release a public Plugin SDK, which enables you to write own HiveMQ plugins and to implement specific authentication and authorization logic needed for your particular use case. Contact us for early access.
Features of the Plugin
The plugin, like its name already says, is reading username and password combinations from a simple property file and makes them available to HiveMQ. Here is the feature set in a nutshell:
Allow only clients with correct credentials to connect The main functionality of the plugin is to only allow clients with correct username/password combination, which are stated inside the credential file, connect to HiveMQ. The structure of the file is one username and password in each line:
username:password
Password storage format configurable The password itself can be stored in different ways, as plaintext or as hash with optional salt. Also various hashing algorithms are accepted. All configuration options in detail are explained in the plugin documentation.
Automatic reload of credential file without HiveMQ restart The plugin implements the functionality to automatically reload the credential file. This allows the appending of new client credentials while HiveMQ is running. It is possible to adjust the interval to your needs. See here.
Command line tool to easily manage the credential file (coming soon) As it requires some effort to create passwords and insert them into the credential file, we’re currently developing a command line utility, which simplifies the addition, modification and deletion of the client credentials. In the meantime a neat utility from Apache Shiro helps generating passwords with various hash algorithms in a format the File Authentication plugin can read. More detail here.
Quick Start
Download HiveMQ from here
Download File Authentication Plugin from here
Extract both.
Copy the file-authentication-plugin-{version}.jar and the content of the folder sample-configuration from the extracted plugin into the HiveMQ plugins folder.
Start HiveMQ via bin/run.sh (linux/unix) or bin/run.bat (windows)
Use a MQTT client of your choice and login with username user1 and password user1
Notice: The quick start sample configuration is storing the passwords in plaintext, for the usage in production environments, use the setup described here.
Currently we’re developing more HiveMQ plugins for different use cases, so stay tuned for new announcements. If you have an idea for an essential plugin, contact us, leave a comment or use the feedback button on the left.
The HiveMQ Team
HiveMQ Team
The HiveMQ team loves writing about MQTT, Sparkplug, Industrial IoT, protocols, how to deploy our platform, and more. We focus on industries ranging from energy, to transportation and logistics, to automotive manufacturing. Our experts are here to help, contact us with any questions.