In our use-case we have clients connecting to the broker using a client certificate + key and we want to use the Enterprise Security Extension for role-based access control, with an MSSQL backend.
Right now I have managed to configure the broker so that we can correctly connect using cert+key, and then we extract the common name from the cert and use this as the authentication-key
.
The problem is that we still need to provide a username and password in order to be able to connect, when cert+key should be enough for our case.
How can we configure the ese-extension to allow for this case?
There is the “allow-all-authentication-manager” that would allow everyone with a cert to connect and then in theory the CN could be used to fetch the roles for the client, but I’m not sure how to achieve that.
When I use “sql-authentication-manager” the “authorization-role-key” seems to automatically resolve to the users roles but not when using the “allow-all-authentication-manager”.
Our config currently looks something like this:
<pipelines>
<listener-pipeline listener="tls-listener">
<authentication-preprocessors>
<x509-preprocessor prefix="{{" postfix="}}">
<x509-extractions>
<x509-extraction>
<x509-field>subject-common-name</x509-field>
<ese-variable>authentication-key</ese-variable>
</x509-extraction>
</x509-extractions>
</x509-preprocessor>
<plain-preprocessor>
<transformations>
<transformation>
<from>mqtt-password</from>
<to>authentication-byte-secret</to>
</transformation>
</transformations>
</plain-preprocessor>
</authentication-preprocessors>
<sql-authentication-manager>
<realm>mssql-backend</realm>
</sql-authentication-manager>
<sql-authorization-manager>
<realm>mssql-backend</realm>
<use-authorization-key>false</use-authorization-key>
<use-authorization-role-key>true</use-authorization-role-key>
</sql-authorization-manager>
</listener-pipeline>
</pipelines>
(I’ve also tried setting an empty password in the database (both an empty field an an empty hashed string) but that didnt work)
Edit:
A possible hack I tried that worked:
<plain-preprocessor>
<transformations>
<transformation encoding="UTF8">
<from>authentication-key</from>
<to>authentication-byte-secret</to>
</transformation>
</transformations>
</plain-preprocessor>
and then just create users with username==password. Maybe there is a better way though