Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow for clientId to be passed to postgres GetUser backend password check #328

Open
CompositeCoding opened this issue Jul 16, 2024 · 5 comments

Comments

@CompositeCoding
Copy link

Hi!

Thanks for your work on the plugin. I'm working on a refactor moving away from VerneMQ to Mosquitto for a large fleet of IOT devices. I would like to use the postgres backend, but we authenticate devices by their clientId, not username.

Looking at the GetUser function signature, it seems feasible to pass the clientId as a parameter to the PG call so that it populates $3, making it usable in SQL queries.

Please let me know what you think.

Thank you!

https://github.com/iegomez/mosquitto-go-auth/blob/master/backends/postgres.go#L186

@CompositeCoding
Copy link
Author

A config option to use the clientId instead of the username would also work for me

@iegomez
Copy link
Owner

iegomez commented Jul 21, 2024

I'll add the option but in a general way, not tied to Postgres.
Of course, it'll be disabled by default. I'll link the PR when I'm done.

@iegomez
Copy link
Owner

iegomez commented Jul 21, 2024

Scratch that, I'll see if I allow clientid to be used in queries, then you can bypass username with something like this:

SELECT topic FROM acl WHERE $1 = $1 AND rw = $2 AND user_name_client_id_field = $3

If there's no issue with simply ignoring the clientd arg when building the query, then that'll be a better solution.

@iegomez
Copy link
Owner

iegomez commented Jul 21, 2024

I went with the original idea because it was simpler and I don't think this is a commonly needed feature, the second one would involve adding support everywhere and changing the interfaces.

If anyone needs finer granularity, they should probably proxy requests or implement custom logic to do so.

Here's the PR: #329

@iegomez
Copy link
Owner

iegomez commented Aug 30, 2024

@CompositeCoding sorry for the time it took, there's something going on with TLS Postgres tests, but it's unrelated to this issue and the PR I opened, so I finally decided to merge and I'll open an issue to address that.

It's in main branch now, I'll make an official release after tackling the PG tests issue and #332 that should be pretty easy to add to the release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants