1.mainflux集成了verneMQ,但是他是如何和things微服务通信,保证只有用过thingid和thingkey才能完成登录呢？

1.1 首先看一下它的配置文件

max_inflight_messages = 20
max_online_messages = 1000
max_message_size = 0
listener.max_connections = 10000
listener.nr_of_acceptors = 10
listener.tcp.default = 127.0.0.1:1883
listener.vmq.clustering = 0.0.0.0:44053
listener.http.default = 127.0.0.1:8888
systree_interval = 20000
graphite_host = localhost
graphite_port = 2003
graphite_interval = 20000
shared_subscription_policy = prefer_local
topic_max_depth = 10
metadata_plugin = vmq_swc
vmq_acl.acl_file = ./etc/vmq.acl
vmq_acl.acl_reload_interval = 10
vmq_passwd.password_file = ./etc/vmq.passwd
vmq_passwd.password_reload_interval = 10
vmq_diversity.script_dir = ./share/lua
vmq_diversity.postgres.password_hash_method = crypt
vmq_diversity.cockroachdb.password_hash_method = bcrypt
vmq_diversity.mysql.password_hash_method = password
vmq_bcrypt.pool_size = 1
vmq_bcrypt.nif_pool_size = 4
vmq_bcrypt.nif_pool_max_overflow = 10
vmq_bcrypt.default_log_rounds = 12
vmq_bcrypt.mechanism = port
log.console = file
log.console.level = info
log.console.file = ./log/console.log
log.error.file = ./log/error.log
log.crash.file = ./log/crash.log
log.crash.maximum_message_size = 64KB
log.crash.size = 10MB
log.crash.rotation = $D0
log.crash.rotation.keep = 5
nodename = VerneMQ@127.0.0.1
distributed_cookie = vmq
erlang.async_threads = 64
erlang.max_ports = 262144
leveldb.maximum_memory.percent = 70
include conf.d/*.conf
log.console.level=error
log.console=console
allow_anonymous=on
erlang.distribution.port_range.minimum = 9100
erlang.distribution.port_range.maximum = 9109
listener.tcp.default = 172.20.0.9:1883
listener.ws.default = 172.20.0.9:8080
listener.vmq.clustering = 172.20.0.9:44053
listener.http.metrics = 172.20.0.9:8888

#-----------------------------------
coordinate_registrations = on
systree_enabled = on
plugins.vmq_passwd = on
plugins.vmq_acl = on
vmq_diversity.cockroachdb.ssl = on
log.crash = on
#-----------------------------------
allow_anonymous = off
allow_register_during_netsplit = off
allow_publish_during_netsplit = off
allow_subscribe_during_netsplit = off
allow_unsubscribe_during_netsplit = off
allow_multiple_sessions = off
max_offline_messages = 1000
upgrade_outgoing_qos = off
listener.tcp.name.allow_anonymous_override = off
listener.ssl.name.allow_anonymous_override = off
graphite_enabled = off
plugins.vmq_diversity = off
plugins.vmq_webhooks = off
plugins.vmq_bridge = off
vmq_diversity.auth_postgres.enabled = off
vmq_diversity.postgres.ssl = off
vmq_diversity.auth_cockroachdb.enabled = off
vmq_diversity.auth_mysql.enabled = off
vmq_diversity.auth_mongodb.enabled = off
vmq_diversity.mongodb.ssl = off
vmq_diversity.auth_redis.enabled = off
log.syslog = off

1.2 在vernemq所在的机器上查看插件

vmq-admin plugin show
+------------+-------------+----------------------+----------------------------------+
| Plugin     | Type        | Hook(s)              | M:F/A                            |
+------------+-------------+----------------------+----------------------------------+
| vmq_acl    | application | auth_on_publish      | vmq_acl:auth_on_publish/6        |
|            |             | auth_on_subscribe    | vmq_acl:auth_on_subscribe/3      |
|            |             | auth_on_publish_m5   | vmq_acl:auth_on_publish_m5/7     |
|            |             | auth_on_subscribe_m5 | vmq_acl:auth_on_subscribe_m5/4   |
|            |             |                      |                                  |
+------------+-------------+----------------------+----------------------------------+
| vmq_passwd | application | auth_on_register     | vmq_passwd:auth_on_register/5    |
|            |             | auth_on_register_m5  | vmq_passwd:auth_on_register_m5/6 |
|            |             |                      |                                  |
+------------+-------------+----------------------+----------------------------------+
看得出是mainflux应该是使用vmq_acl的消息钩子处理身份认证的。

1.3 但是acl怎么使用呢?下面以mqtt登录为例来说明。
在cmd\mqtt\main.go文件中定义了钩子事件

// Event handler for MQTT hooks
h := mqtt.NewHandler([]messaging.Publisher{np}, es, logger, authClient)

并在mqtt\handler.go完成了处理逻辑

// AuthConnect is called on device connection,
// prior forwarding to the MQTT broker
func (h *handler) AuthConnect(c *session.Client) error {
    if c == nil {
        return errInvalidConnect
    }

    thid, err := h.auth.Identify(context.Background(), string(c.Password))
    if err != nil {
        return err
    }

    if thid != c.Username {
        return errors.ErrAuthentication
    }

    if err := h.es.Connect(c.Username); err != nil {
        h.logger.Warn("Failed to publish connect event: " + err.Error())
    }

    return nil
}