Gateway "Self-Service" when using RabbitMQ as the backend


#1

Hey folks,

I’m using RabbitMQ with the MQTT plugin and I have permissions set at the vhost and queue level for the gateways, however at present I’m using “hand-crafted” MQTT usernames/passwords for each gateway.

What I’d like to do is somehow integrate the MQTT authentication with existing data from the PostgreSQL/HTTP API so that gateways authenticate based on a combination of gateway id and MAC address or similar.

Is anyone else out there doing this?


#2

Although this is for Mosquitto, this could help you implement this for RabbitMQ: Go mosquitto auth plugin.


#3

I only found this repo doing auth for RabbitMQ directly with Postgres, but it’s incomplete (authentication only).

There’s an HTTP one that’s mentioned in the community plugins, so at least you can use the API.


#4

Thanks, I’d seen the plugin for Postgresql and was just as disappointed that it wasn’t complete.

I’ll take a look at the HTTP one, I’m not too sure which API endpoint I’d point it at, but I’ll play around with it, thanks :slight_smile:


#5

I’m curious, what’s you use case for RabbitMQ?


#6

I know it far better than I know mosquitto, I’ve had it running with thousands of clients sending millions of messages underpinning a public cloud platform, and I know that it scales without question.

It’s more difficult to setup, but it just seems to be more resilient, and as we’re looking to release both public and private infrastructure projects based on this I want to know that I can trust my infrastructure :slight_smile:


#7

That seems reasonable, bun in that case you’ll probably want to develop your own plugin or extend the one we mentioned to check directly against Postgres. I’d even say that this scenario may present too much overhead if your worries are about scalability, throughput, etc., as you’ll be hitting the DB constantly with every gateway message, but it’s a lot better than having to hit an API and the DB all the time.


#8

Yeah, with every layer I get more problems… :wink:

Thankfully it’s working with “static” credentials and a clustered setup at the moment, so this is just the next bit of the jigsaw to fix :smiley: