docker-vernemq icon indicating copy to clipboard operation
docker-vernemq copied to clipboard
verified publisher icon vernemq

Is it possible to use mountpoint without listeners ?

Open SebUndefined opened this issue 3 years ago • 1 comments

Hi,

We use VerneMQ for our iot solution and we would like to use mountpoint for splitting our clients.

As far as we can see, it is possible to use mountpoint through Webhook without creating a listener. Our strategy would be:

  • prefix the username or client_id of the device with a specific string (the client name for example). Like [Client_Name]_[Device_username]. This will be done at the device creation automatically.
  • check if the client exist in DB with the prefix, auth the device of course and return a modifier like this in the auth_on_register webhook
{
      "result": "ok",
      "modifiers": {
        "client_id": "client_id",
        "mountpoint": "client_name"
      }
}

Note: we have to return the client_id in the modifier otherwise the mountpoint modifier is ignored. https://pi3g.com/2019/06/09/changing-the-mountpoint-on-auth_on_register-webhook-for-vernemq/

as far as we can see, it works pretty well. The mountpoint is taken into consideration after auth_on_register and one device subscribing to a topic on mountpoint "x" is not able to see message published on this topic by another device connected to a mountpoint "y".

I am just wondering if this solution is ok or is it just an "hack" ? We found that creating listeners "on the fly" for each customer could be really complicated especially with k8s deployment. But if this solution is viable in production, it could fix all our problems :)

SebUndefined avatar May 18 '22 14:05 SebUndefined

@SebUndefined apologies that I missed to comment on this. I will not issue security recommendations (as a general disclaimer), but your approach uses the modifier in a valid way. The plugin is free to modify the mountpoint internally. This can, in fact, be used as a label to partition Clients.

The difference to using listeners alongside is that there's still only 1 topic tree with your approach. So, ACL must be in place to ensure that Clients do not cross-subscribe, subscribe to wrong topics etc. The other consequence is that the same topic name will mean the actual same topic for all clients. (that is, you cannot use a topic "example" with entirerly separated meaning per customer)

But other than that, your approach is certainly good and usable.

:point_right: Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq :point_right: Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

ioolkos avatar Jun 17 '22 06:06 ioolkos