Support multiple authentication plugins

[ralight]

migrated from Bugzilla #464543
status ASSIGNED severity enhancement in component Mosquitto for 1.5
Reported in version 1.4 on platform PC
Assigned to: Roger Light

On 2015-04-13 15:31:11 -0400, Roger Light wrote:

This was posted on the mailing list:

My largest gripe with the plugin interface as it is right now is that only one
plugin can be active at any given time. The krb5 plugin is intended to play a
largely supplementary role, yet the only option at the moment is to have it
replace existing authentication. Rather than split up the plugins, I realise
authentication and authorisation are usually tightly coupled, and I would
therefore suggest the option of allowing multiple plugins at once.

My suggestion is inspired by PAM, which allows a plugin to either grant access
immediately, deny access immediately or to "defer" action. Now, PAM has a much
more complicated setup, but these three actions should suffice for mosquitto, in
my opinion. The authentication/authorisation workflow would consist of the
following steps.

• If the plugin returns MOSQ_AUTH_GRANTED, access is immediately granted, the
  user authenticated correctly, obtained the requested access if this is an ACL
  call, or provided a correct TLS-PSK.
• If the plugin returns MOSQ_AUTH_DENIED, access is immediately denied, the
  plugin has an explicit rule to deny this action, either this user does not
  match some criteria but does exist, the password did not match or access to
  this topic is definitely denied.
• If the plugin instead returns MOSQ_AUTH_DEFERRED, the next plugin in the
  (configuration) list is invoked.
• If at the end of authentication/authorisation the status is
  MOSQ_AUTH_DEFERRED, there was no plugin granting access, so it is then
  denied.

This, to me, seems like a relatively small modification to the plugin
architecture that would greatly enhance the possibilities the owner of a broker
has. In my case, I would first allow krb5-based authentication, then fall back
to the inbuilt mosquitto behaviour, allowing private key authentication and
lastly, passwords. Similarly, since the krb5 plugin has no information about
ACL, it would immediately return MOSQ_AUTH_DEFERRED, and the normal ACL file
would get used.

On 2015-06-04 10:20:22 -0400, Jan-Piet Mens wrote:

What would be very good to have is support for ACLs/passwords from files and authentication plugins. I'd like to see files checked first and then auth plugins.

On 2015-06-29 18:33:57 -0400, Roger Light wrote:

This is now available for testing on the develop branch. I would appreciate any feedback.

Please note that this is not the only change to plugins that is planned for 1.5.

On 2015-09-29 06:04:35 -0400, Jan-Piet Mens wrote:

As discussed on IRC, I strongly feel that the order should be swapped: first files, then authentication plugins. The reason is that files checking will typically be "cheaper" than whatever an authentication plugin does. For example, we want to keep administrative accounts out of plugin (-databases) so we don't even want the plugin to be invoked for these (even if the plugin can defer -- if it knows what to defer).

[PierreF]

Is something missing for this issue on develop branch ? I think everything is present:

• multiple plugin could be configured
• files are checked first, then auth_plugins