Add basic permissions and security
This commit adds configuring some basic security. It enables anonymous read only access (which is important for this use case) also setups a privileged user which has global readwrite on the broker. Eventually we can move to a more fine grained permission model with per service and per topic write permission, but this is a sane starting point. Change-Id: I546007f1f4fc57d9edd54294a27c2cd726a134db
This commit is contained in:
Matthew Treinish
parent
623eab68ef
commit
e6e978cae7
|
|
@ -18,14 +18,40 @@ class mosquitto::server (
|
|||
$pid_file = '/var/run/mosquitto.pid',
|
||||
$log_file = '/var/log/mosquitto/mosquitto.log',
|
||||
$persistence_location = '/var/lib/mosquitto/',
|
||||
$infra_service_username = 'infra',
|
||||
$infra_service_password,
|
||||
) {
|
||||
|
||||
file {'/etc/mosquitto/infra_service.pw':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
replace => true,
|
||||
require => Package['mosquitto'],
|
||||
}
|
||||
|
||||
exec {'passwd_file':
|
||||
command => "/usr/bin/mosquitto_passwd -b /etc/mosquitto/infra_service.pw ${infra_service_username} ${infra_service_password}",
|
||||
require => File['/etc/mosquitto/infra_service.pw']
|
||||
}
|
||||
|
||||
file {'/etc/mosquitto/infra_service.acl':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
replace => true,
|
||||
content => template('mosquitto/mosquitto.acl.erb'),
|
||||
require => Exec['passwd_file'],
|
||||
}
|
||||
|
||||
file {'/etc/mosquitto/mosquitto.conf':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => template('mosquitto/mosquitto.conf.erb'),
|
||||
require => Package['mosquitto'],
|
||||
require => File['/etc/mosquitto/infra_service.acl'],
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
topic read #
|
||||
|
||||
user <%= @infra_service_username %>
|
||||
topic readwrite #
|
||||
|
|
@ -595,7 +595,8 @@ log_dest file <%= @log_file %>
|
|||
#
|
||||
# pattern write sensor/%u/data
|
||||
#
|
||||
#acl_file
|
||||
acl_file /etc/mosquitto/infra_service.acl
|
||||
password_file /etc/mosquitto/infra_service.pw
|
||||
|
||||
# -----------------------------------------------------------------
|
||||
# Authentication and topic access plugin options
|
||||
|
|
|
|||
Loading…
Reference in New Issue