|
|
|
@ -25,7 +25,7 @@ installations, but will not be activated by default.
|
|
|
|
## Concepts
|
|
|
|
## Concepts
|
|
|
|
|
|
|
|
|
|
|
|
This section describes the concepts of how the plugin operates. If you want to
|
|
|
|
This section describes the concepts of how the plugin operates. If you want to
|
|
|
|
find out how to use the plugin features, look in the [Usage] section below.
|
|
|
|
find out how to use the plugin features, look in the [Installation] section below.
|
|
|
|
|
|
|
|
|
|
|
|
The plugin allows you to create three main objects, `clients`, `groups`, and `roles`.
|
|
|
|
The plugin allows you to create three main objects, `clients`, `groups`, and `roles`.
|
|
|
|
|
|
|
|
|
|
|
|
@ -280,7 +280,7 @@ If allowed, anything connecting without a username will be assigned to a group
|
|
|
|
that you define. By assigning roles to that group, you can control what
|
|
|
|
that you define. By assigning roles to that group, you can control what
|
|
|
|
anonymous devices can access.
|
|
|
|
anonymous devices can access.
|
|
|
|
|
|
|
|
|
|
|
|
## Initial configuration
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
|
|
|
|
To use the Dynamic Security plugin, it must be configured in the broker and an
|
|
|
|
To use the Dynamic Security plugin, it must be configured in the broker and an
|
|
|
|
initial plugin configuration must be generated.
|
|
|
|
initial plugin configuration must be generated.
|
|
|
|
@ -303,7 +303,9 @@ It is recommended to use `per_listener_settings false` with this plugin, so all
|
|
|
|
listeners use the same authentication and access control.
|
|
|
|
listeners use the same authentication and access control.
|
|
|
|
|
|
|
|
|
|
|
|
The `dynamic-security.json` file is where the plugin configuration will be
|
|
|
|
The `dynamic-security.json` file is where the plugin configuration will be
|
|
|
|
stored. To generate an initial file, use the `mosquitto_ctrl` utility.
|
|
|
|
stored. This file will be updated each time you make client/group/role changes,
|
|
|
|
|
|
|
|
during normal operation the configuration stays in memory. To generate an
|
|
|
|
|
|
|
|
initial file, use the `mosquitto_ctrl` utility.
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
```
|
|
|
|
mosquitto_ctrl dynsec init path/to/dynamic-security.json admin-user
|
|
|
|
mosquitto_ctrl dynsec init path/to/dynamic-security.json admin-user
|
|
|
|
@ -338,7 +340,18 @@ the `#` hierarchy by default. You are strongly encouraged to keep the admin
|
|
|
|
user purely for administering the plugin, and create other clients for your
|
|
|
|
user purely for administering the plugin, and create other clients for your
|
|
|
|
application.
|
|
|
|
application.
|
|
|
|
|
|
|
|
|
|
|
|
## Using mosquitto_ctrl with a running broker
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
All control of the plugin after initial installation is through the MQTT topic
|
|
|
|
|
|
|
|
API at `$CONTROL/dynamic-security/v1`. This allows integrations to be built,
|
|
|
|
|
|
|
|
but isn't the best choice for people to use directly. The `mosquitto_ctrl`
|
|
|
|
|
|
|
|
command provided with Mosquitto implements support for the dynamic security
|
|
|
|
|
|
|
|
plugin API, as described below. Other options include the [Management Center
|
|
|
|
|
|
|
|
for Mosquitto](https://docs.cedalo.com/latest/) which is an open source web
|
|
|
|
|
|
|
|
based tool for controlling the plugin and other features. The Management Center
|
|
|
|
|
|
|
|
is not part of the Mosquitto project.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Using mosquitto_ctrl with a running broker
|
|
|
|
|
|
|
|
|
|
|
|
The initial configuration is the only time that `mosquitto_ctrl` does not
|
|
|
|
The initial configuration is the only time that `mosquitto_ctrl` does not
|
|
|
|
connect to a broker to carry out the configuration. All other commands require
|
|
|
|
connect to a broker to carry out the configuration. All other commands require
|
|
|
|
|
Roger A. Light
4 years ago