Mosquittoに認証プラグインを導入する
今回はMosquittoに認証プラグインのmosquitto-auth-plugを導入して、MQTT接続時のユーザ認証を試してみます。
mosquitto-auth-plug
https://github.com/jpmens/mosquitto-auth-plug
ビルドに必要な環境を揃える
はじめに、ビルドにに必要なものを入れておく
sudo apt-get install make libcurl4-openssl-dev
適当なワークディレクトリを掘って、mosquitto-auth-pluginを取ってくる
git clone https://github.com/jpmens/mosquitto-auth-plug.git
Makeに必要なので、MosquittoとOpenSSLのソースも持ってくる
Mosquitto
http://mosquitto.org/download/
kyoro@iot:~/git$ wget http://mosquitto.org/files/source/mosquitto-1.4.4.tar.gz --2015-10-21 20:30:24-- http://mosquitto.org/files/source/mosquitto-1.4.4.tar.gz Resolving mosquitto.org (mosquitto.org)... 85.119.83.194, 2001:ba8:1f1:f271::2 Connecting to mosquitto.org (mosquitto.org)|85.119.83.194|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 325077 (317K) [application/octet-stream] Saving to: ‘mosquitto-1.4.4.tar.gz’ 100%[==================================================================>] 325,077 493KB/s in 0.6s 2015-10-21 20:30:25 (493 KB/s) - ‘mosquitto-1.4.4.tar.gz’ saved [325077/325077] kyoro@iot:~/git$ tar zxvf mosquitto-1.4.4.tar.gz kyoro@iot:~/git$ mv -f mosquitto-1.4.4 mosquitto
Open SSL
https://www.openssl.org/source/
kyoro@iot:~/git$ git clone git://git.openssl.org/openssl.git
ビルドの設定
configファイルを作る mosquitto-auth-plugのワークディレクトリに移動して、config.mkをサンプルから作る。
kyoro@iot:~/git/mosquitto-auth-plug$ cp config.mk.in config.mk
configの中身を編集 今回はHTTP-Backendのみ使うので、以下のようにする。
# Select your backends from this list BACKEND_CDB ?= no BACKEND_MYSQL ?= no BACKEND_SQLITE ?= no BACKEND_REDIS ?= no BACKEND_POSTGRES ?= no BACKEND_LDAP ?= no BACKEND_HTTP ?= yes BACKEND_MONGO ?= no # Specify the path to the Mosquitto sources here MOSQUITTO_SRC = /home/kyoro/git/mosquitto # Specify the path the OpenSSL here OPENSSLDIR = /home/kyoro/git/openssl OSSLINC=-I$(OPENSSLDIR)/include OSSLIBS=-L$(OPENSSLDIR)/lib -lcrypto
プラグインのビルド
configの設定が終わったらmake
kyoro@iot:~/git/mosquitto-auth-plug$ make Selected backends: HTTP Using mosquitto source dir: /home/kyoro/git/mosquitto OpenSSL install dir: /home/kyoro/git/openssl If you changed the backend selection, you might need to 'make clean' first cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o auth-plug.o auth-plug.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o base64.o base64.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o pbkdf2-check.o pbkdf2-check.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o log.o log.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o envs.o envs.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o hash.o hash.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o be-psk.o be-psk.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o backends.o backends.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o cache.o cache.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -c -o be-http.o be-http.c cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -L/home/kyoro/git/mosquitto/lib/ -lcares -fPIC -shared -o auth-plug.so auth-plug.o base64.o pbkdf2-check.o log.o envs.o hash.o be-psk.o backends.o cache.o be-http.o -lcurl -L/home/kyoro/git/openssl/lib -lcrypto -lmosquitto /usr/bin/ld: cannot find -lcares /usr/bin/ld: cannot find -lmosquitto collect2: error: ld returned 1 exit status make: *** [auth-plug.so] Error 1
ん?なんか最後でコケた
関係なさそうだったので、見つからなかった-lcaresと-lmosquittoを外してみる。
kyoro@iot:~/git/mosquitto-auth-plug$ cc -I/home/kyoro/git/mosquitto/src/ -I/home/kyoro/git/mosquitto/lib/ -fPIC -Wall -Werror -DBE_HTTP -I/src -DDEBUG=1 -I/home/kyoro/git/openssl/include -L/home/kyoro/git/mosquitto/lib/ -fPIC -shared -o auth-plug.so auth-plug.o base64.o pbkdf2-check.o log.o envs.o hash.o be-psk.o backends.o cache.o be-http.o -lcurl -L/home/kyoro/git/openssl/lib -lcrypto kyoro@iot:~/git/mosquitto-auth-plug$ ls *.so auth-plug.so
わーい、コンパイルできた!
プラグインを設定する
早速使ってみましょう。
できたauth-plug.soを適当な場所に移動して
kyoro@iot:~/git/mosquitto-auth-plug$ mkdir ~/bin kyoro@iot:~/git/mosquitto-auth-plug$ mv auth-plug.so ~/bin/
mosquitto.confを編集してauth-pluginを有効化します
sudo vi /etc/mosquitto/mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/ # # A full description of the configuration file is at # /usr/share/doc/mosquitto/examples/mosquitto.conf.example pid_file /var/run/mosquitto.pid persistence true persistence_location /var/lib/mosquitto/ log_dest file /var/log/mosquitto/mosquitto.log include_dir /etc/mosquitto/conf.d allow_anonymous false auth_plugin /home/kyoro/bin/auth-plug.so auth_opt_backends http auth_opt_http_ip 127.0.0.1 auth_opt_http_port 3000 auth_opt_http_getuser_uri /auth auth_opt_http_superuser_uri /superuser auth_opt_http_aclcheck_uri /acl
設定が終わったらmosquittoを再起動
kyoro@iot:~$ sudo service mosquitto restart mosquitto stop/waiting mosquitto start/running, process 20677
動作確認(と言っても弾かれる確認)
さて、この状態でmosquittoクライアントからトピックを購読できるか試してみましょう
kyoro@iot:~$ mosquitto_sub -d -t test Client mosqsub/23400-iot sending CONNECT Client mosqsub/23400-iot received CONNACK Connection Refused: not authorised.
Anonymousだとバッチリ怒られます!
kyoro@iot:~$ mosquitto_sub -d -t test -u bob -P bob-password Client mosqsub/23401-iot sending CONNECT Client mosqsub/23401-iot received CONNACK Connection Refused: not authorised.
ユーザ名&パスワードを指定してももちろん接続できません。(認証サーバが無いので)
これでMosquittoの認証プラグインが有効になりました。 次回は簡単な認証サーバを書いてMosquittoのアクセス制御を行ってみたいと思います。