Change mosquitto_security_apply() from HUP to periodic - with ability to disable

[wiebeytec]

Mosquito reevaluates the authentication of all clients on HUP. This causes many of my clients to be disconnected, because they use JSON web tokens (JWT; custom plugin) that expire.

I am now forced to disable HUP, which requires hacking with copy+truncate log files to rotate them, and I can't replace SSL certificates without kicking everybody out.

I think it's better to change this to a timed event that can be disabled. If it's important to admins that de-authenticated clients are disconnected, waiting for the HUP is the wrong event. Plugins can have state that change all the time, so the HUP is unrelated.

[NorbertHeusser]

The HUP signal will force the Mosquitto to reload it's full configuration, which is a well known behavior of daemon processes. As the config might have changed some of the security settings the Mosquitto will afterward reevaluate the client authentication. So the intent of the HUP signal is to reload the config and this might affect the client reconnect.

[wiebeytec]

I understand that, and that makes some sense for when the users (indirectly) come from the config file, but not when they come from a plugin that keeps its own state (or retrieves auth data from somewhere) and clients authenticate with time based tokens, like JWT.

But even then, when your password file changes, why is HUP the triggering factor? If I remove a user, I either want to deauthenticate the user soon, or not at all. Not something that synchronizes with log rotation (which happens to do HUP).

[wiebeytec]

On a side note, having an extra signal, like USR1, for only log rotation would be useful. Nginx does this too.