[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [mosquitto-dev] RFC: add listener_allow_anonymous
|
Hi Kurt,
This idea of making allow anonymous a per listener is something that
is planned for the 1.5 release. I think what you've done looks fine -
if you rebase it off the develop branch and submit a pull request I'll
be happy to accept it. I would like some extra documentation on the
interaction between allow_anonymous and listener_allow_anonymous as
well, that is somewhere there could be confusion.
Regards,
Roger
On 6 June 2017 at 13:57, Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>> In order to have authenticated access to my MQTT box from outside,
>> I set allow_anonymous to 1. This does have the side effect that
>> my local programs also need a 'dummy' username+password to authenticate.
>> This dummy username+password is then usable from outside also.
>>
>> I addressed this by adding the patch below. It allows MQTT to be
>> configured to allow anonymous connections from localhost, and
>> authenicated connections from outside.
>
> Today, I solved my issue differently by adding a 'listener_allow_anonymous'
> config option. This is easier to add and the backward compatibility is simpler.
>
> Since I typically use a TLS-enabled port for outside access and a
> non-TLS port for local use, this fits my problem as well.
>
> Is this a valuable thing to do? Is it right?
> How else should I address my problem?
> What do you think?
>
> Kurt
> --
>
> commit 2abb81d1ff801a8ada53df0f4b635914aa384718
> Author: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
> Date: Tue Jun 6 13:01:09 2017
>
> listener_allow_anonymous
>
> This commit introduces a (per-listener) listener_allow_anonymous
> option that controls what to do with anonymous connections.
> For backward compatibility, this option is prefixed with 'listener_'
> and the global 'allow_anonymous' is still in use, i.e. anonymous
> connections are allowed if any of allow_anonymous and
> listener_allow_anonymous are true.
>
> Signed-off-by: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
>
> diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
> index e27fb58..dc13090 100644
> --- a/man/mosquitto.conf.5.xml
> +++ b/man/mosquitto.conf.5.xml
> @@ -644,6 +644,18 @@
> </listitem>
> </varlistentry>
> <varlistentry>
> + <term><option>listener_allow_anonymous</option> [ true | false ]</term>
> + <listitem>
> + <para>Boolean value that determines whether clients that
> + connect without providing a username are allowed to
> + connect. If set to <replaceable>false</replaceable>
> + then another means of connection should be created to
> + control authenticated client access. Defaults to
> + <replaceable>false</replaceable>.</para>
> + <para>Reloaded on reload signal.</para>
> + </listitem>
> + </varlistentry>
> + <varlistentry>
> <term><option>max_connections</option> <replaceable>count</replaceable></term>
> <listitem>
> <para>Limit the total number of clients connected for
> diff --git a/src/conf.c b/src/conf.c
> index 6edd705..efaeeec 100644
> --- a/src/conf.c
> +++ b/src/conf.c
> @@ -1206,6 +1206,8 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
> _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty listener value in configuration.");
> return MOSQ_ERR_INVAL;
> }
> + }else if(!strcmp(token, "listener_allow_anonymous")){
> + if(_conf_parse_bool(&token, token, &cur_listener->allow_anonymous, saveptr)) return MOSQ_ERR_INVAL;
> }else if(!strcmp(token, "local_clientid")){
> #ifdef WITH_BRIDGE
> if(reload) continue; // FIXME
> diff --git a/src/mosquitto_broker.h b/src/mosquitto_broker.h
> index 8d19790..982603d 100644
> --- a/src/mosquitto_broker.h
> +++ b/src/mosquitto_broker.h
> @@ -79,6 +79,7 @@ struct _mqtt3_listener {
> int client_count;
> enum mosquitto_protocol protocol;
> bool use_username_as_clientid;
> + bool allow_anonymous;
> #ifdef WITH_TLS
> char *cafile;
> char *capath;
> diff --git a/src/read_handle_server.c b/src/read_handle_server.c
> index 2b9c8f5..a1d7903 100644
> --- a/src/read_handle_server.c
> +++ b/src/read_handle_server.c
> @@ -399,7 +399,7 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
> password = NULL;
> }
>
> - if(!username_flag && db->config->allow_anonymous == false){
> + if(!username_flag && db->config->allow_anonymous == false && !context->listener->allow_anonymous){
> _mosquitto_send_connack(context, 0, CONNACK_REFUSED_NOT_AUTHORIZED);
> rc = 1;
> goto handle_connect_error;
> diff --git a/src/security_default.c b/src/security_default.c
> index a1d3ec1..d989db7 100644
> --- a/src/security_default.c
> +++ b/src/security_default.c
> @@ -714,7 +714,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
>
> HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
> /* Check for anonymous clients when allow_anonymous is false */
> - if(!allow_anonymous && !context->username){
> + if(!allow_anonymous && !context->username && !context->listener->allow_anonymous){
> context->state = mosq_cs_disconnecting;
> do_disconnect(db, context);
> continue;
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev