Add basic permissions and security
This commit adds configuring some basic security. It enables anonymous read only access (which is important for this use case) also setups a privileged user which has global readwrite on the broker. Eventually we can move to a more fine grained permission model with per service and per topic write permission, but this is a sane starting point. Change-Id: I546007f1f4fc57d9edd54294a27c2cd726a134db
This commit is contained in:
parent
623eab68ef
commit
e6e978cae7
|
@ -18,14 +18,40 @@ class mosquitto::server (
|
||||||
$pid_file = '/var/run/mosquitto.pid',
|
$pid_file = '/var/run/mosquitto.pid',
|
||||||
$log_file = '/var/log/mosquitto/mosquitto.log',
|
$log_file = '/var/log/mosquitto/mosquitto.log',
|
||||||
$persistence_location = '/var/lib/mosquitto/',
|
$persistence_location = '/var/lib/mosquitto/',
|
||||||
|
$infra_service_username = 'infra',
|
||||||
|
$infra_service_password,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
|
file {'/etc/mosquitto/infra_service.pw':
|
||||||
|
ensure => present,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
replace => true,
|
||||||
|
require => Package['mosquitto'],
|
||||||
|
}
|
||||||
|
|
||||||
|
exec {'passwd_file':
|
||||||
|
command => "/usr/bin/mosquitto_passwd -b /etc/mosquitto/infra_service.pw ${infra_service_username} ${infra_service_password}",
|
||||||
|
require => File['/etc/mosquitto/infra_service.pw']
|
||||||
|
}
|
||||||
|
|
||||||
|
file {'/etc/mosquitto/infra_service.acl':
|
||||||
|
ensure => present,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
replace => true,
|
||||||
|
content => template('mosquitto/mosquitto.acl.erb'),
|
||||||
|
require => Exec['passwd_file'],
|
||||||
|
}
|
||||||
|
|
||||||
file {'/etc/mosquitto/mosquitto.conf':
|
file {'/etc/mosquitto/mosquitto.conf':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
owner => 'root',
|
owner => 'root',
|
||||||
group => 'root',
|
group => 'root',
|
||||||
mode => '0644',
|
mode => '0644',
|
||||||
content => template('mosquitto/mosquitto.conf.erb'),
|
content => template('mosquitto/mosquitto.conf.erb'),
|
||||||
require => Package['mosquitto'],
|
require => File['/etc/mosquitto/infra_service.acl'],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
topic read #
|
||||||
|
|
||||||
|
user <%= @infra_service_username %>
|
||||||
|
topic readwrite #
|
|
@ -595,7 +595,8 @@ log_dest file <%= @log_file %>
|
||||||
#
|
#
|
||||||
# pattern write sensor/%u/data
|
# pattern write sensor/%u/data
|
||||||
#
|
#
|
||||||
#acl_file
|
acl_file /etc/mosquitto/infra_service.acl
|
||||||
|
password_file /etc/mosquitto/infra_service.pw
|
||||||
|
|
||||||
# -----------------------------------------------------------------
|
# -----------------------------------------------------------------
|
||||||
# Authentication and topic access plugin options
|
# Authentication and topic access plugin options
|
||||||
|
|
Loading…
Reference in New Issue