Comments (4)
iegomez
commented on August 22, 2024
Are you setting allow_anonymous true at mosquitto's conf while setting up the plugin too? Because in that case I think mosquitto would let anonymous clients connect, but the plugin doesn't allow anonymous users and thus neither authenticates nor authorizes them. Also, this scenario would be backend independent, i.e., it has nothing to do with the mysql one.
I've thought about including support for anonymous users, but I fail to see the advantage over some default restricted user that every client could use instead of connecting anonymously. Do you have a use case for supporting them?
from mosquitto-go-auth.
vava24680
commented on August 22, 2024
Thank you. I find out that allow_anonymous false should be set explicitly for disabling connection from anonymous user.
Sorry for the title that says "strange behavior with mysql backend". I should investigate more deeply.
Also I have a question about the anonymous user, what you means is that creating a user account for anonymous connection and set some acl rules on this user?
from mosquitto-go-auth.
iegomez
commented on August 22, 2024
If you check mosquitto's conf man page, you'll see that static ACLs may mention rules for anonymous users:
The first set of topics are applied to anonymous clients, assuming allow_anonymous is true.
The thing is these general rules are achievable with some default user, e.g. every client that's granted general permissions should connect with username <insert-your-desired-default-here>, and you can throw those rules in your ACLs file under that name and you are done. The benefit is that I don't have to define anonymous users semantics for the rest of the backends. I certainly could, I think jpmen's plugin does by passing a default anonymous user with username anonymous (or something like that, I'd have to check) when an anonymous user is checked for ACLs, but that means the backends need to actually define rules for the user with username anonymous, which would be the same as connecting with username anonymous instead of just connecting anonymously (i.e., without username).
So until now I just went with this default: anonymous users won't get authenticated nor authorized. It's simple and understandable (I mean, you are using an auth plugin, that means you want to control what clients can do), and there's the obvious workaround of telling clients to use a default username for general stuff.
The downside is that it's not consistent with mosquitto's default behaviour, which is why I've considered adding support for anonymous users. I think I probably will when I get the time, it's just not a priority right now. So let's leave this issue open as a reminder that I should do something about it.
from mosquitto-go-auth.
iegomez
commented on August 22, 2024
Going against my words, I'll close this because I believe the easy workaround fits better the idea of having "anonymous" clients. But still, I'd love to see you argue against it! Just let me know.
from mosquitto-go-auth.
Related Issues (20)
- Files backend issue HOT 7
- Implementing mosquitto_psk_key_get for certificate whitelisting HOT 8
- JWT backend JS mode not working HOT 1
- How to check if a client is disconnected from the broker HOT 2
- MongoDB is broken in test Docker image HOT 4
- Not authenticating with mysql db
- The plugin cannot be built HOT 1
- Request: Help in setting up Allow/Deny Access Control Rules based on Client ID HOT 4
- TARGETPLATFORM does not include linux/amd64 in Dockerfile HOT 2
- http backend: superuser check is made for every single acl check HOT 6
- Make order of plugin execution configurable
- Update/Fix dependencies with active vulnerabilities HOT 1
- error compiling on raspberry pi HOT 1
- Hasher configuration alway defaults to Base64 HOT 1
- the doc should specify which auth methods support TCP and Websocket connections HOT 1
- Container image on Dockerhub is outdated
- Inconsistent rw Permission Behavior Not Matching Documentation HOT 4
- JWT RS256 public key verification "jwt parse error: key is of invalid type"
- Backend register error: couldn't initialize js backend with error Javascript backend error: missing options: js_acl_script_path.
- Allow for clientId to be passed to postgres GetUser backend password check HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mosquitto-go-auth.