MongoDB Authentication/ACL

    Open the MongoDB official website address: , select the version you need, here we use the macOS 4.4.1 version:

    Start MongoDB after installation

    Create module

    Open , click the “Modules” tab on the left, and choose to add:

    Select MongoDB Authentication/ACL module

    image-20200928114546350

    Configure MongoDB related parameters

    image-20200928133916267

    When performing identity authentication, EMQX will use the current client information to fill and execute the authentication Query configured by the user, and query the authentication data of the client in the database.

    MongoDB supports the configuration of collection names, authentication fields, authentication placeholders and other parameters.

    You can use the following placeholders in the authentication query placeholders, and EMQX will automatically fill in the client information when executed:

    -%u: username -%c: clientid -%C: TLS certificate common name (domain name or subdomain name of the certificate), valid only when TLS connection -%d: TLS certificate subject, valid only when TLS connection

    You can adjust the authentication query according to your business needs, such as adding multiple query conditions and using database preprocessing functions to achieve more business-related functions. But in any case, the authentication query needs to meet the following conditions:

    1. The query result must contain the password field, which EMQX uses to compare with the client password
    2. If the salting configuration is enabled, the salt field must be included in the query result, and EMQX uses this field as the salt value

    TIP

    This is the set structure used by the default configuration. After you are familiar with the use of the plug-in, you can use any set that meets the conditions for authentication.

    Access Control Collection

    MongoDB ACL rules define publish, subscribe, and publish/subscribe information, and all the rules in the rules are allow lists.

    When performing ACL authentication, EMQX will use the current client information to fill and execute the super user query configured by the user to check whether the client is a super user. When the client is a super user, ACL query will be skipped. Multiple conditions of the same selector use MongoDB and query in the actual query:

    You can use the following placeholders in the query conditions, and EMQX will automatically fill in the client information when executed:

    -%u: username

    -%c: clientid

    You can adjust the super user query according to business needs, such as adding multiple query conditions and using database preprocessing functions to achieve more business-related functions. But in any case, the super user query needs to meet the following conditions: The query result must include the is_superuser field, and is_superuser should be explicitly true. MongoDB supports the configuration of collection names, authentication fields, authentication placeholders and other parameters.

    TIP

    MongoDB ACL rules must strictly use the above data structure. All the rules added in MongoDB ACL are allowed rules and can be used with ʻacl_nomatch = deny.

    Encryption rules

    TIP

    Refer to: Salt rules and hash methods (opens new window).