I want to know where and how hivemq community edition checks for authentication of user and password

i want to know where and how hivemq community edition checks for authentication of user and password which is set in rbac’s credentials.xml file.
i have cloned community edition project from github which is working fine with user and password but i want to where it checks and how is the mechanism because i want to customize it. i want to remove rbac extension and add database from where user and hashed password will be fetched. please reply to this on priority.
TIA

Hi @sanket

The HiveMQ File RBAC security extension handles user authentication in the onConnect() method of the FileAuthAuthenticator class. You can review the implementation details here.

Specifically, the method checks for roles associated with a username/password combination via credentialsValidator.getRoles, which you can explore here.

The password matching process is handled by the credentialsHasher.checkCredentials method. You can find the relevant code here.

For further guidance on implementing a custom Authenticator, please refer to the HiveMQ Extension Developer Guide. This guide requires Java programming skills and is available here.

Finally, you can find detailed documentation on the HiveMQ Extension SDK here.

I hope it helps. Feel free to reach out if you have any more questions or need further assistance.

Best regards,
Dasha from the HiveMQ Team

so according to your answer i can use sqllite database instead of rbac extension ?
is there any implementation available to do such customization?
Thanks for above solution, please look at this also.TIA

Hi @sanket,

Thank you for your question.

The HiveMQ File RBAC security extension is open source, and its GitHub repository is public. This allows you to fork the repo and implement database storage instead of using a credentials file.

There isn’t an open-source example extension available for direct use. The HiveMQ Enterprise Security Extension offers database storage for security permissions, but it is a proprietary solution.

If you need further assistance or guidance on implementing this, please feel free to reach out. We’re here to help!

Best regards,
Dasha from the HiveMQ Team

implementing custom authenticator using this link MQTT Client Authentication Options for Your HiveMQ Extension :: HiveMQ Documentation
AND
The HiveMQ File RBAC security extension is open source, and its GitHub repository is public. This allows you to fork the repo and implement database storage instead of using a credentials file.

these both are same thing or different? can we implement custom authenticator to use database or i need to fork the repo and implement database.

to implement database is there any other option other than using forked rbac file?

Hi sanket,

you basically have three options:

1. You use the File RBAC Extension => Free, but no DB
2. You implement your own DB based extension with an SimpleAuthenticator => Free, but requires programming and is hard to do in a scalable manner
3. You buy HiveMQ Enterprise and the Enterprise Security Extension => Costs money, but comes with the support for many DBs, convenient and will serve your needs for the foreseeable future

Cheers
Sauroter

Thank you sauroter,
so, like mentioned in daria_H’s solution, i cannot fork rbac extension and implement db ? am i right?
there are only three options available according to you?
SimpleAuthenticator and Forking Rbac extension are different things?

Its the same thing. File RBAC uses the SimpleAuthenticator of the Extension SDK.

what are the changes needs to be done in RBAC file, to use SimpleAuthenticator to build my own DB based extension. can you provide anything that can help me to build my own DB based extension.
Thanks for all the above solutions.

how to use ssl certificate in RBAC-file-extension for connection?

Thats kind of up to you. You will need to set up a DB connection, define a schema for permissions, decide when and what to query and so on.
There is a reason we made a product out of it.

We publicly document our SQL layout for ESE. I would start there. Be careful though that you do not directly copy anything, you will make your self liable to license infringement if you do so.

You need to parse the TlsInformation that you get in the SimpleAuthInput → ConnectionInformation.

Screenshot (10)1153×677 13.1 KB

i declared above configuration in config.xml of hivemq configuration file and tried to connect with ssl certificate it shows error
MqttException (0) - javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Caused by: java.io.EOFException: SSL peer shut down incorrectly
these exceptions are occuring during connection. i am trying to connect with mqtt-spy as client. i am using rbac-file-extension for authentication i.e user password roles permission.

Hi @sanket

To effectively diagnose the issue you’re experiencing with tls, using an mqtt client with verbose debug output is essential. This is necessary for getting detailed insights into the communication process between your client and the MQTT broker, which can reveal specific errors or misconfigurations.

By running MQTT-CLI with debug and verbose options enabled, you’ll capture detailed logs of each step the client takes when connecting to the broker and publishing messages. This output can pinpoint issues such as authentication failures, connection problems, or even protocol mismatches, helping you troubleshoot effectively.

Here’s an example MQTT-CLI command that connects to a broker on port 1883 using TLS and client certificates, along with debug and verbose flags:

mqtt publish --host localhost --port 1883 --topic "test" --message "hello" --cert mqtt-client-cert-1.pem --key mqtt-client-key-1.pem --cafile hivemq-server-cert.pem --debug --verbose

Please refer to the resources provided for detailed installation and usage instructions:

• MQTT-CLI tool: mqtt-cli documentation
• Installation guide: How to install MQTT-CLI tool
• Usage guide: How to publish and subscribe with MQTT-CLI tool

These resources will guide you through configuring MQTT-CLI and understanding its output effectively. Enabling verbose output will provide you with more detailed information, particularly helpful for identifying TLS errors. Please feel free to reach out if you have any more questions or need further assistance!

Best regards,
Dasha from the HiveMQ Team

Good Morning,
I have authenticated with rbac-file-extension but now i want to connect broker through extension sdk. i got code for the same i.e connecting to broker via extension sdk with help of maven dependency of hivemq-extension when i try to run that code many packages are not importing and reason is The import com.hivemq.extension.sdk.api.client.parameter.ConnectPacket cannot be resolved likewise many packages are not imported. i checked extension-sdk on github but there are only interfaces available in every folder so what are the reasons that packages are not importing.

Hello @sanket

To assist you more effectively, could you please provide step-by-step details of the changes you have made to your project? This information is crucial for us to understand the issue and offer the best possible support.

Additionally, we recommend reviewing our detailed documentation on building custom extensions using the HiveMQ Extension SDK.

Regards,
Sheetal from HiveMQ Team