README
¶
Redis backend example
A comqtt broker with comqttauth wired in coexist mode against a Redis
instance. Connection auth runs through comqtt's upstream
plugin/auth/redis hook (bcrypt). Regex ACL runs through comqttauth.Hook.
Prereqs
docker run --rm -d --name comqttauth-example-redis -p 6379:6379 redis:7
Run
go run ./examples/redis
Environment
| Variable | Default | Notes |
|---|---|---|
COMQTTAUTH_REDIS_ADDR |
127.0.0.1:6379 |
host:port |
COMQTTAUTH_REDIS_DB |
0 |
DB index |
COMQTTAUTH_REDIS_USERNAME |
(empty) | ACLed Redis users |
COMQTTAUTH_REDIS_PASSWORD |
(empty) | Redis password |
COMQTTAUTH_LISTEN |
:1883 |
TCP listen address |
Seeded credentials and rules
- alice / wonderland — allowed to publish on
telemetry/${username}/#. - bob / builder — denied publish on
forbidden/#.
Exercise
# allowed
mosquitto_pub -h 127.0.0.1 -p 1883 -u alice -P wonderland -t telemetry/alice/temp -m hi
# blocked by deny rule
mosquitto_pub -h 127.0.0.1 -p 1883 -u bob -P builder -t forbidden/secret -m boom
# connection rejected
mosquitto_pub -h 127.0.0.1 -p 1883 -u eve -P bad -t any/topic -m nope
Storage shape
Users and ACL entries are stored as comqtt does it:
HASH comqtt:auth field=<subject> value=<JSON {password, allow}>
HASH comqtt:acl:<subject> field=<topic> value=<access byte>
HASH comqtt:acl_regex field=<id> value=<JSON rule>
HASH comqttauth:meta field=regex_seeded value=1
redis-cli HGETALL comqtt:auth shows the seeded users with bcrypt password hashes.
Documentation
¶
Overview ¶
Redis backend example: comqtt broker + comqttauth, both reading the same comqtt-shaped Redis keys (HASH comqtt:auth, HASH comqtt:acl:<subject>). Connection auth is performed by comqtt's upstream plugin/auth/redis hook; regex ACL is performed by comqttauth.Hook. Passwords are bcrypt-hashed end-to-end.
Prereqs: a running Redis (`docker run --rm -p 6379:6379 redis:7`).
Run:
go run ./examples/redis
Source Files
Click to show internal directories.
Click to hide internal directories.