Comments (1)
Thoughts about channel isolation and authentication
Problem
We will have to take care that this implementation does not accidentally weaken Kotori's security concept, which is mostly based around limiting access to certain topics by path prefix, and mapping that to channel user/owner ACLs in Mosquitto, which are reflected on the second path level of the MQTT topic, after the realm
component, which is mqttkit-1
in the example below.
You will recognize that it is not possible to apply an ACL rule on the MQTT topic mqttkit-1/d/owner-*
, as wildcards are usually applied to MQTT topics only on the path segment level, and not mid-segment. 12
If we don't apply any countermeasures here, direct-device-addressing will open the door to access the write path to anyone else's channels, even if they would be protected by a MQTT full-channel ACL.
Example
Those examples demonstrate the MQTT topics for the same data channel, while using different addressing schematics, classical channel-based vs. the new device-based scheme.
# Channel-based MQTT WAN addressing.
mqttkit-1/owner/foo/bar/data.json
# Device-based MQTT WAN addressing.
mqttkit-1/d/owner-foo-bar/data.json
A typical Mosquitto ACL item currently looks like this.
user <username>
topic readwrite mqttkit-1/owner/#
Solutions
I see two possible solutions.
-
When enabling this feature in the corresponding Kotori .ini file, the operator would need to permit it for specific owners only, like
[channel] permit_device_addressing = ["acme", "peter"]
We may allow to explicitly configure
*
, in order to tear down that wall completely, but otherwise, allowing no user to use direct-addressing, would be a sane choice by default. -
Adjust the specification.
This effectively shrinks the headroom to two path components. It feels a bit cleaner, but I don't know if it is possible to implement. Also, it would defy @thiasB idea to run the application for the wholehiveeyes
realm.
# Device-based MQTT WAN addressing.
mqttkit-1/owner/foo-bar/data.json
Conclusion
Currently, for @thiasB use case, I see no other choice than 1., adding a permit_device_addressing
configuration option. While it is sad that the feature would not be completely maintenance-free then, I see no other chance to hold up the minimal amount of channel isolation/protection Kotori offers.
Please do not hesitate to share any ideas you might have about this detail. Thanks.
Footnotes
from kotori.
Related Issues (20)
- docker-compose up is taking very long HOT 2
- Video tutorial HOT 1
- Panels are not updated on instant dashboards after update to Grafana 9.3.1 and Kotori 0.27.0 HOT 1
- Support new devices for DAQ-SIG
- Add ISEMS project to gallery
- Add "Well Depth Monitor" to project gallery
- Grafana: Adjust a few integration details
- Error channel reports `'NoneType' object has no attribute 'endswith'`
- Docker is sunsetting Free Team organizations HOT 5
- Modernize firmware builder to use PlatformIO
- bunch » munch » benedict
- Support FIWARE NGSI-LD, NGSIv2, and Ultralight 2.0 protocols
- Support Sparkplug MQTT protocol HOT 2
- Make plumbing less opinionated
- Receiving telemetry data via UDP HOT 1
- Support for InfluxDB 2.x HOT 7
- Support receiving data via AMQP
- Problem when using unicode characters in channel name or field name
- Unhandled exception: module 'pandas' has no attribute 'tslib' HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kotori.