Configuring RBAC Extension for the Azure Cloud

Hi Team,
I have configured, self managed HiveMQ Cloud in azure as per the documentation HiveMQ Cloud Installation :: HiveMQ Documentation.

I am using a trail license.

Now I would like to configure RBAC extension(HiveMQ Extension - File RBAC).
As per the documentation, the configuration file has to kept under extensions folder.
Where/How do I see the extensions folder ??

Regards,
Viswanath Vankadari

Hello Viswanath,

We appreciate your contact. We would like to inform you that we have a helpful knowledge article available that provides guidance on applying the RBAC extension’s configurations using ConfigMap.
Please take a moment to review this resource, and should you encounter any difficulties or have any questions, please don’t hesitate to reach out to us for assistance. We are here to support you.

Regards,
Sheetal from HiveMQ Team

Hi Sheetal,
Thanks for giving the details.
I tried as documentation provided by you. Below are the pod logs :

**Defaulted container "hivemq" out of: hivemq, init-shared (init), dns-wait (init)**
**Copying external files**
**'/conf-override/extensions/hivemq-file-rbac-extension' -> '/opt/hivemq/extensions/hivemq-file-rbac-extension'**
**'/conf-override/extensions/hivemq-file-rbac-extension/..2023_10_05_11_23_46.359768837' -> '/opt/hivemq/extensions/hivemq-file-rbac-extension/..2023_10_05_11_23_46.359768837'**
**'/conf-override/extensions/hivemq-file-rbac-extension/..2023_10_05_11_23_46.359768837/credentials.xml' -> '/opt/hivemq/extensions/hivemq-file-rbac-extension/..2023_10_05_11_23_46.359768837/credentials.xml'**
**'/conf-override/extensions/hivemq-file-rbac-extension/..data' -> '/opt/hivemq/extensions/hivemq-file-rbac-extension/..data'**
**'/conf-override/extensions/hivemq-file-rbac-extension/credentials.xml' -> '/opt/hivemq/extensions/hivemq-file-rbac-extension/credentials.xml'**
**Rewriting config.xml...**
**Creating initial lastUpdate files...**
**'/conf-override/extensions/hivemq-file-rbac-extension/..2023_10_05_11_23_46.359768837/credentials.xml' -> '/opt/hivemq/extensions/hivemq-file-rbac-extension/..2023_10_05_11_23_46.359768837/credentials.xml.lastUpdate'**
**Pod info:**
**extension-names=hivemq-file-rbac-extension**
**extension-uris=https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.5.3/hivemq-file-rbac-extension-4.5.3.zip**
**extension-states=true**
**extensions-static=false**
**Installing extension #0 with name: hivemq-file-rbac-extension, URI: https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.5.3/hivemq-file-rbac-extension-4.5.3.zip, enabled state: true**
**+ [[ 3 != 3 ]]**
**+ EXTENSION_URI=https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.5.3/hivemq-file-rbac-extension-4.5.3.zip**
**+ EXTENSION_NAME=hivemq-file-rbac-extension**
**+ TARGET_STATE=true**
**+ TARGET_DIR=/opt/hivemq/extensions/hivemq-file-rbac-extension**
**++ mktemp -d**
**+ install_dir=/tmp/tmp.6Fs1FUSJLe**
**+ set +e**
**+ [[ -f /opt/hivemq/extensions/hivemq-file-rbac-extension/DISABLED ]]**
**+ was_enabled=1**
**+ set -e**
**+ [[ https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.5.3/hivemq-file-rbac-extension-4.5.3.zip != \p\r\e\i\n\s\t\a\l\l\e\d ]]**
**+ cd /tmp/tmp.6Fs1FUSJLe**
**+ curl -L https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.5.3/hivemq-file-rbac-extension-4.5.3.zip --output extension.zip**
**  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current**
**                                 Dload  Upload   Total   Spent    Left  Speed**
**  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0**
**100 6967k  100 6967k    0     0  9268k      0 --:--:-- --:--:-- --:--:-- 28.2M**
**+ unzip extension.zip**
**Archive:  extension.zip**
**   creating: hivemq-file-rbac-extension/**
**  inflating: hivemq-file-rbac-extension/hivemq-file-rbac-extension-4.5.3.jar**
**  inflating: hivemq-file-rbac-extension/credentials.xml**
**  inflating: hivemq-file-rbac-extension/extension-config.xml**
**  inflating: hivemq-file-rbac-extension/hivemq-extension.xml**
**  inflating: hivemq-file-rbac-extension/README.html**
**  inflating: hivemq-file-rbac-extension/README.txt**
**+ [[ -d /opt/hivemq/extensions/hivemq-file-rbac-extension ]]**
**+ [[ -f /opt/hivemq/extensions/hivemq-file-rbac-extension/hivemq-extension.xml ]]**
**+ echo 'Installing new extension version'**
**+ mkdir -p /opt/hivemq/extensions/hivemq-file-rbac-extension**
**Installing new extension version**
**+ [[ true == \f\a\l\s\e ]]**
**+ [[ -f /opt/hivemq/extensions/hivemq-file-rbac-extension/DISABLED ]]**
**+ [[ https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.5.3/hivemq-file-rbac-extension-4.5.3.zip != \p\r\e\i\n\s\t\a\l\l\e\d ]]**
**+ cd /tmp/tmp.6Fs1FUSJLe**
**+ cp -r hivemq-file-rbac-extension/credentials.xml hivemq-file-rbac-extension/extension-config.xml hivemq-file-rbac-extension/hivemq-extension.xml hivemq-file-rbac-extension/hivemq-file-rbac-extension-4.5.3.jar hivemq-file-rbac-extension/README.html hivemq-file-rbac-extension/README.txt /opt/hivemq/extensions/hivemq-file-rbac-extension/**
**cp: cannot create regular file '/opt/hivemq/extensions/hivemq-file-rbac-extension/credentials.xml': Read-only file system**
**/conf-override/extensions/hivemq-file-rbac-extension/:/opt/hivemq/extensions/hivemq-file-rbac-extension**
**-------------------------------------------------------------------------**

**                  _    _  _              __  __   ____**
**                 | |  | |(_)            |  \/  | / __ \**
**                 | |__| | _ __   __ ___ | \  / || |  | |**
**                 |  __  || |\ \ / // _ \| |\/| || |  | |**
**                 | |  | || | \ V /|  __/| |  | || |__| |**
**                 |_|  |_||_|  \_/  \___||_|  |_| \___\_\**

**-------------------------------------------------------------------------**

**  HiveMQ Start Script for Linux/Unix v1.13**

**-------------------------------------------------------------------------**

**  HIVEMQ_HOME: /opt/hivemq**

**  JAVA_OPTS: -XX:+UnlockExperimentalVMOptions -XX:InitialRAMPercentage=40 -XX:MaxRAMPercentage=50 -XX:MinRAMPercentage=30 -Djava.net.preferIPv4Stack=true -noverify --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED --add-exports java.base/jdk.internal.misc=ALL-UNNAMED -Djava.security.egd=file:/dev/./urandom -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9010 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Duser.language=en -Duser.region=US -XX:+CrashOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError**

**  JAVA_VERSION: 11**

**-------------------------------------------------------------------------**

**2023-10-05 11:24:01,849 INFO  - Starting HiveMQ Enterprise Server**
**2023-10-05 11:24:01,858 INFO  - HiveMQ version: 4.20.0**
**2023-10-05 11:24:01,858 INFO  - HiveMQ home directory: /opt/hivemq**
**2023-10-05 11:24:01,860 INFO  - Log Configuration was overridden by /opt/hivemq/conf/logback.xml**
**2023-10-05 11:24:02,696 INFO  - Successfully loaded configuration from '/opt/hivemq/conf/config.xml'.**
**2023-10-05 11:24:02,877 INFO  - This node's ID is gGKCM**
**2023-10-05 11:24:02,878 INFO  - Clustering is enabled**
**2023-10-05 11:24:12,130 INFO  - No valid license file found. Using trial license, restricted to 25 connections.**
**2023-10-05 11:24:12,722 INFO  - No valid license file for Data Hub found. Using free license, restricted to 1 policy.**
**2023-10-05 11:24:13,078 INFO  - This node uses '4' CPU cores.**
**2023-10-05 11:24:13,089 INFO  - Starting HiveMQ extension system.**
**2023-10-05 11:24:13,266 INFO  - Starting extension with id "hivemq-file-rbac-extension" at /opt/hivemq/extensions/hivemq-file-rbac-extension**
**2023-10-05 11:24:13,274 INFO  - Starting File RBAC extension.**
**2023-10-05 11:24:13,469 INFO  - Using TCP cluster transport on address 10.244.0.47 and port 7000**
**2023-10-05 11:24:13,481 INFO  - Using extension cluster discovery**
**2023-10-05 11:24:13,502 WARN  - Configuration for file auth extension has errors:**
**        - User 'user2' has invalid password**
**        - User 'admin-user' has invalid password**
**2023-10-05 11:24:13,505 WARN  - Configuration for file auth extension has errors:**
**        - User 'user2' has invalid password**
**        - User 'admin-user' has invalid password**
**2023-10-05 11:24:13,505 WARN  - No credentials configuration file for file auth extension available, denying all connections.**
**2023-10-05 11:24:13,551 INFO  - Extension "HiveMQ File Role Based Access Control Extension" version 4.5.3 started successfully.**
**2023-10-05 11:24:13,552 INFO  - Starting extension with id "hivemq-dns-cluster-discovery" at /opt/hivemq/extensions/hivemq-dns-cluster-discovery**
**2023-10-05 11:24:13,680 INFO  - Extension "DNS Cluster Discovery Extension" version 4.2.4 started successfully.**
**2023-10-05 11:24:13,680 INFO  - Starting extension with id "hivemq-allow-all-extension" at /opt/hivemq/extensions/hivemq-allow-all-extension**
**2023-10-05 11:24:13,681 WARN  -**
**################################################################################################################**
**# This HiveMQ deployment is not secure! You are lacking Authentication and Authorization.                      #**
**# Right now any MQTT client can connect to the broker with a full set of permissions.                          #**
**# For production usage, add an appropriate security extension and remove the hivemq-allow-all extension.       #**
**# You can download security extensions from the HiveMQ Marketplace (https://www.hivemq.com/extensions/).       #**
**################################################################################################################**
**2023-10-05 11:24:13,687 INFO  - Extension "Allow All Extension" version 1.0.0 started successfully.**
**2023-10-05 11:24:13,687 INFO  - Starting extension with id "hivemq-k8s-sync-extension" at /opt/hivemq/extensions/hivemq-k8s-sync-extension**
**2023-10-05 11:24:13,826 INFO  - Started HiveMQ Kubernetes State Synchronization Extension:4.20.0**
**2023-10-05 11:24:13,826 INFO  - Extension "HiveMQ Kubernetes State Synchronization Extension" version 4.20.0 started successfully.**
**2023-10-05 11:24:13,826 INFO  - Starting extension with id "hivemq-prometheus-extension" at /opt/hivemq/extensions/hivemq-prometheus-extension**
**2023-10-05 11:24:14,104 INFO  - Started Jetty Server exposing Prometheus Servlet on URI http://0.0.0.0:9399/**
**2023-10-05 11:24:14,109 INFO  - Extension "Prometheus Monitoring Extension" version 4.0.8 started successfully.**
**2023-10-05 11:24:15,940 INFO  - gGKCM: no members discovered after 2337 ms: creating cluster as first member**
**2023-10-05 11:24:15,960 INFO  - Cluster nodes found by discovery: [gGKCM|0] (1) [gGKCM].**
**2023-10-05 11:24:16,009 INFO  - No user for HiveMQ Control Center configured. Starting with default user**
**2023-10-05 11:24:16,009 INFO  - Starting HiveMQ Control Center on address 0.0.0.0 and port 8080**
**2023-10-05 11:24:16,421 INFO  - Control Center Audit Logging started.**
**2023-10-05 11:24:16,421 INFO  - Started HiveMQ Control Center in 412ms**
**2023-10-05 11:24:16,452 INFO  - Starting TCP listener on address 0.0.0.0 and port 1883**
**2023-10-05 11:24:16,507 INFO  - Started TCP Listener on address 0.0.0.0 and on port 1883.**
**2023-10-05 11:24:16,507 INFO  - Started HiveMQ in 14675ms**
**2023-10-05 11:25:13,505 WARN  - Configuration for file auth extension has errors:**
**        - User 'user2' has invalid password**
**        - User 'admin-user' has invalid password**

Below is the content of “extension-config.xml”

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<extension-configuration>

    <!-- Reload interval for credentials in seconds -->
    <credentials-reload-interval>60</credentials-reload-interval>

    <!-- Optional list of names of listeners this extension is used for
    <listener-names>
        <listener-name>my-listener</listener-name>
        <listener-name>my-listener-2</listener-name>
    </listener-names> -->

    <!-- If the credentials file is using HASHED or PLAIN passwords -->
    <password-type>PLAIN</password-type>

    <!-- Use this option to toggle the behaviour in case authentication by this extension failed.
         false (default) -> client don't get authenticated
         true            -> instead of failing the authentication we delegate the decision to the next extension with an
                            authentication implemented (with lower priority), in case no other extension exists we fail
                            the authentication -->
    <!--next-extension-instead-of-fail>true</next-extension-instead-of-fail-->

</extension-configuration>

Below is the content of credentails.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<file-rbac>
    <users>
        <user>
            <name>user2</name>
            <!--- password hash for "pass1" -->
            <password>admin@123</password>
            <roles>
                <id>role1</id>
            </roles>
        </user>
        <user>
            <name>admin-user</name>
            <!-- password hash for "admin-password" -->
            <password>admin@123</password>
            <roles>
                <id>superuser</id>
            </roles>
        </user>
    </users>
    <roles>
        <role>
            <id>role1</id>
            <permissions>
                <permission>
                    <!-- PUBLISH and SUBSCRIBE to all topics below "data/<clientid>/" -->
                    <topic>data/${{clientid}}/#</topic>
                </permission>
                <permission>
                    <!-- PUBLISH to topic "outgoing/<clientid>", retained only-->
                    <topic>outgoing/${{clientid}}</topic>
                    <activity>PUBLISH</activity>
                    <retain>RETAINED</retain>
                </permission>
                <permission>
                    <!-- SUBSCRIBE to topic "incoming/<clientid>"-->
                    <topic>incoming/${{username}}/actions</topic>
                    <activity>SUBSCRIBE</activity>
                </permission>
            </permissions>
        </role>
        <role>
            <id>superuser</id>
            <permissions>
                <permission>
                    <!-- Allow everything -->
                    <topic>#</topic>
                </permission>
            </permissions>
        </role>
    </roles>
</file-rbac>

Below is the content of hivemq.yaml file

hivemq:
  nodeCount: "1"

  ports:
    - name: "mqtt"
      port: 1883
      expose: true
      patch:
        - '[{"op":"add","path":"/spec/type","value":"LoadBalancer"}]'
    - name: "cc"
      port: 8080
      expose: true
      patch:
        - '[{"op":"add","path":"/spec/sessionAffinity","value":"ClientIP"}]'
  extensions:
    - name: hivemq-file-rbac-extension
      extensionUri: https://github.com/hivemq/hivemq-file-rbac-extension/releases/download/4.6.0/hivemq-file-rbac-extension-4.6.0.zip
      configMap: rbactest3
      enabled: true

 #  Uncomment the following lines if you have a valid HiveMQ license
 #  configMap:
 #   - name: hivemq-license
 #     path: /opt/hivemq/license

monitoring:
  dedicated: true
  enabled: true

Can you help me out in resolving the issue?

Regards,
Viswanath

Hi Sheetal,
I am able to use File Based RBAC extension successfully with the steps provided.
Thanks for the support.

I am having the following questions on this:

• Does it have any UI to manage the configuration.xml?

• Any changes made to the configuration file are reflecting untill the following commands are executed(waited 60 seconds to read the changes as per extension-config.xml

   helm uninstall hivemq
   kubectl delete configmap rbactest9 (delete the existing configmap)
   kubectl create configmap rbactest10 --from-file hivemq-file-rbac-extension/credentials.xml 
  (recreate a new config map)
  helm upgrade --install -f hivemq.yaml hivemq hivemq/hivemq-operator
  

Regards,
Viswanath

Hello @ViswanathDR

I’m delighted to hear that you’ve successfully set up the File RBAC extension. Regarding your inquiries:

Does it have any UI to manage the configuration.xml?

Unfortunately, there is no user interface available for editing the configuration XML.

Any changes made to the configuration file are reflecting until the following commands are executed (waiting 60 seconds to read the changes as per extension-config.xml).

You don’t need to uninstall HiveMQ every time to make changes. If you can edit the configurations in your values.yaml file, you can then use the helm upgrade command to apply them.
On the other hand, if you’re using a configMap, you’ll need to update the configMap and then run the same helm update command to have the changes applied to the running HiveMQ pods.

helm upgrade --install -f hivemq.yaml hivemq hivemq/hivemq-operator -n <your namespace>
This command is used to update an existing Helm release. If the release doesn’t exist, it will be installed.

I hope this clarifies things for you, and please don’t hesitate to reach out if you have any more questions or need further assistance

Regards,
Sheetal from HiveMQ Team

Hi Sheetal,
Until all the above commands are executed, the changes are not getting reflected from the configuration.xml.

I can repeat the issue. Can we connect and show it.

Regards,
Viswanath Vankadari

Hi @ViswanathDR

Thank you for reaching out and providing an update.

I appreciate your willingness to demonstrate the issue. However, at the moment, a direct connection may not be possible. To ensure we address the matter effectively, could you please record a video while reproducing the issue? This will allow us to closely analyze the steps and better understand the situation.

Your cooperation is highly valued, and I’m confident that with your video demonstration, we’ll be able to work towards a resolution more efficiently.

Best,
Dasha from HiveMQ Team