Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] RFC: add listener_allow_anonymous

Hi Kurt,

This idea of making allow anonymous a per listener is something that
is planned for the 1.5 release. I think what you've done looks fine -
if you rebase it off the develop branch and submit a pull request I'll
be happy to accept it. I would like some extra documentation on the
interaction between allow_anonymous and listener_allow_anonymous as
well, that is somewhere there could be confusion.

Regards,

Roger


On 6 June 2017 at 13:57, Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>> In order to have authenticated access to my MQTT box from outside,
>> I set allow_anonymous to 1. This does have the side effect that
>> my local programs also need a 'dummy' username+password to authenticate.
>> This dummy username+password is then usable from outside also.
>>
>> I addressed this by adding the patch below. It allows MQTT to be
>> configured to allow anonymous connections from localhost, and
>> authenicated connections from outside.
>
> Today, I solved my issue differently by adding a 'listener_allow_anonymous'
> config option. This is easier to add and the backward compatibility is simpler.
>
> Since I typically use a TLS-enabled port for outside access and a
> non-TLS port for local use, this fits my problem as well.
>
> Is this a valuable thing to do? Is it right?
> How else should I address my problem?
> What do you think?
>
> Kurt
> --
>
> commit 2abb81d1ff801a8ada53df0f4b635914aa384718
> Author: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
> Date:   Tue Jun 6 13:01:09 2017
>
>     listener_allow_anonymous
>
>     This commit introduces a (per-listener) listener_allow_anonymous
>     option that controls what to do with anonymous connections.
>     For backward compatibility, this option is prefixed with 'listener_'
>     and the global 'allow_anonymous' is still in use, i.e. anonymous
>     connections are allowed if any of allow_anonymous and
>     listener_allow_anonymous are true.
>
>     Signed-off-by: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
>
> diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
> index e27fb58..dc13090 100644
> --- a/man/mosquitto.conf.5.xml
> +++ b/man/mosquitto.conf.5.xml
> @@ -644,6 +644,18 @@
>                                         </listitem>
>                                 </varlistentry>
>                                 <varlistentry>
> +                                       <term><option>listener_allow_anonymous</option> [ true | false ]</term>
> +                                       <listitem>
> +                                               <para>Boolean value that determines whether clients that
> +                                                       connect without providing a username are allowed to
> +                                                       connect. If set to <replaceable>false</replaceable>
> +                                                       then another means of connection should be created to
> +                                                       control authenticated client access.  Defaults to
> +                                                       <replaceable>false</replaceable>.</para>
> +                                               <para>Reloaded on reload signal.</para>
> +                                       </listitem>
> +                               </varlistentry>
> +                               <varlistentry>
>                                         <term><option>max_connections</option> <replaceable>count</replaceable></term>
>                                         <listitem>
>                                                 <para>Limit the total number of clients connected for
> diff --git a/src/conf.c b/src/conf.c
> index 6edd705..efaeeec 100644
> --- a/src/conf.c
> +++ b/src/conf.c
> @@ -1206,6 +1206,8 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
>                                                 _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty listener value in configuration.");
>                                                 return MOSQ_ERR_INVAL;
>                                         }
> +                               }else if(!strcmp(token, "listener_allow_anonymous")){
> +                                       if(_conf_parse_bool(&token, token, &cur_listener->allow_anonymous, saveptr)) return MOSQ_ERR_INVAL;
>                                 }else if(!strcmp(token, "local_clientid")){
>  #ifdef WITH_BRIDGE
>                                         if(reload) continue; // FIXME
> diff --git a/src/mosquitto_broker.h b/src/mosquitto_broker.h
> index 8d19790..982603d 100644
> --- a/src/mosquitto_broker.h
> +++ b/src/mosquitto_broker.h
> @@ -79,6 +79,7 @@ struct _mqtt3_listener {
>         int client_count;
>         enum mosquitto_protocol protocol;
>         bool use_username_as_clientid;
> +       bool allow_anonymous;
>  #ifdef WITH_TLS
>         char *cafile;
>         char *capath;
> diff --git a/src/read_handle_server.c b/src/read_handle_server.c
> index 2b9c8f5..a1d7903 100644
> --- a/src/read_handle_server.c
> +++ b/src/read_handle_server.c
> @@ -399,7 +399,7 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
>                         password = NULL;
>                 }
>
> -               if(!username_flag && db->config->allow_anonymous == false){
> +               if(!username_flag && db->config->allow_anonymous == false && !context->listener->allow_anonymous){
>                         _mosquitto_send_connack(context, 0, CONNACK_REFUSED_NOT_AUTHORIZED);
>                         rc = 1;
>                         goto handle_connect_error;
> diff --git a/src/security_default.c b/src/security_default.c
> index a1d3ec1..d989db7 100644
> --- a/src/security_default.c
> +++ b/src/security_default.c
> @@ -714,7 +714,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
>
>         HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
>                 /* Check for anonymous clients when allow_anonymous is false */
> -               if(!allow_anonymous && !context->username){
> +               if(!allow_anonymous && !context->username && !context->listener->allow_anonymous){
>                         context->state = mosq_cs_disconnecting;
>                         do_disconnect(db, context);
>                         continue;
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


Back to the top