This article is only relevant for v0.9.10 and later.
Enable RBAC for the MQTT Broker
This page describes how to enable Role-Based Access Control (RBAC) for the
MQTT broker.
2 minute read
Enable RBAC
Enable RBAC by upgrading the value in the Helm chart.
To do so, run the following command:
sudo $(which helm) upgrade --set mqtt_broker.rbacEnabled=true united-manufacturing-hub united-manufacturing-hub/united-manufacturing-hub -n united-manufacturing-hub --reuse-values --version $(sudo $(which helm) get metadata united-manufacturing-hub -n united-manufacturing-hub --kubeconfig /etc/rancher/k3s/k3s.yaml -o json | jq '.version') --kubeconfig /etc/rancher/k3s/k3s.yaml
Now all MQTT connections require password authentication with the following defaults:
- Username:
node-red
- Password:
INSECURE_INSECURE_INSECURE
Change default credentials
Open a shell inside the Pod:
sudo $(which kubectl) exec -it united-manufacturing-hub-hivemqce-0 -n united-manufacturing-hub --kubeconfig /etc/rancher/k3s/k3s.yaml -- /bin/sh
Navigate to the installation directory of the RBAC extension.
cd extensions/hivemq-file-rbac-extension/
Generate a password hash with this command.
java -jar hivemq-file-rbac-extension-<version>.jar -p <password>
- Replace
<version>
with the version of the HiveMQ CE extension. If you are not sure which version is installed, you can pressTab
after typingjava -jar hivemq-file-rbac-extension-
to autocomplete the version. - Replace
<password>
with your desired password. Do not use any whitespaces.
- Replace
Copy the output of the command. It should look similar to this:
$2a$10$Q8ZQ8ZQ8ZQ8ZQ8ZQ8ZQ8Zu
Exit the shell by typing
exit
.Edit the ConfigMap to update the password hash.
sudo $(which kubectl) edit configmap united-manufacturing-hub-hivemqce-extension -n united-manufacturing-hub --kubeconfig /etc/rancher/k3s/k3s.yaml
This command will open the default text editor with the ConfigMap contents. Change the value inbetween the
<password>
tags with the password hash generated in step 4.You can use a different password for each different microservice. Just remember that you will need to update the configuration in each one to use the new password.Save the changes.
Recreate the Pod:
sudo $(which kubectl) delete pod united-manufacturing-hub-hivemqce-0 -n united-manufacturing-hub --kubeconfig /etc/rancher/k3s/k3s.yaml
What’s next
Last modified December 19, 2024: Merge pull request #306 from united-manufacturing-hub/feat/eng-1713/rename-data-model-v1 (667ff8b)