I am was following the Debian/Ubuntu Quickstart tutorial (Quickstart Debian or Ubuntu - ChirpStack open-source LoRaWAN<sup>®</sup> Network Server) along with the MQTT Authentication (MQTT authentication & authorization - ChirpStack open-source LoRaWAN<sup>®</sup> Network Server) tutorial using the Mosquitto Go Auth to set up a test environment.
In the MQTT Authentication guide where it gives instructions on setting up the Mosquitto Go Auth, it has you setup the mosquitto-go-auth.conf plugin to construct the auth_opt_pg_aclquery. This seems to build up the access control list for application based off of the db user login credentials. When I ran the query it looked to be building up the ACL of application/[applicationId]/#. In my simple scenario it was “application/1/#”. In addition to the db user driven permissions, there was also the directions on how to setup the /etc/mosquitto/mosquitto-go-auth/acls file to give permissions to the chirpstack_gw, chirpstack_ns and chirpstack_as users. At first I was trying to use one of the db username/passwords within the chirpstack_gateway_bridge.toml file and although it would connect, none of the gateway messages would get delivered. Then when I switched to the chirpstack_gw user defined in the acls file, everything worked.
Hopefully that explains my testing clearly. My goal was to be able to have many customers pushing data to my own chirpstack server instance. Is it possible to be able to assign a db username/password to the chirpstack_gateway_bridge.toml file so that each customer has isolated gateway login/passwords that use the chirpstack db authentication? If you cannot use the db auth to provide username/passwords for gateways, what other options are there other than acls lists given that I want to treat this as a multi-tenant application. Looking for best practices I suppose.
Below are configuration files and server output information:
chirpstack-application-server.toml
[general]
log_level=4[postgresql]
dsn=“postgres://chirpstack_as:my_as_password@localhost/chirpstack_as?sslmode=disable”[redis]
url=“redis://localhost:6379”[application_server]
[application_server.integration]
enabled=[“mqtt”]
[application_server.integration.mqtt]
uplink_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/rx”
downlink_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/tx”
join_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/join”
ack_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/ack”
error_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/error”
status_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/status”
location_topic_template=“application/{{ .ApplicationID }}/device/{{ .DevEUI }}/location”server=“tcp://localhost:1883”
username=“chirpstack_as”
password=“my_static_as_password_from_passwords_file”[application_server.api]
bind=“0.0.0.0:8001”public_host=“localhost:8001”
[application_server.external_api]
bind=“0.0.0.0:8080”tls_cert=“”
tls_key=“”
jwt_secret=“my_jwt_secret”
[join_server]
bind=“0.0.0.0:8003”
chirpstack-gateway-bridge.toml
[backend]
type=“semtech_udp”
[backend.semtech_udp]
udp_bind = “0.0.0.0:1700”[integration]
marshaler=“protobuf”[integration.mqtt]
event_topic_template=“gateway/{{ .GatewayID }}/event/{{ .EventType }}”command_topic_template=“gateway/{{ .GatewayID }}/command/#”
[integration.mqtt.auth]
type=“generic”[integration.mqtt.auth.generic]
server=“tcp://35.238.165.88:1883”
username=“infinidtech”
#username=“chirpstack_ns”
password=“my_secret_password”
qos=0
clean_session=true
ca_cert=“”
tls_cert=“”
tls_key=“”
chirpstack-network-server.toml
[general]
log_level=4[postgresql]
dsn=“postgres://chirpstack_ns:my_db_password!@localhost/chirpstack_ns?sslmode=disable”[network_server]
net_id=“000000”[network_server.band]
name=“US_902_928”[network_server.network_settings]
enabled_uplink_channels=[0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15][network_server.gateway.backend]
type=“mqtt”[network_server.gateway.backend.mqtt]
event_topic=“gateway/+/event/+”command_topic_template=“gateway/{{ .GatewayID }}/command/{{ .CommandType }}”
server=“tcp://localhost:1883”
username=“chirpstack_ns”
password=“my_static_password_from_passwords_file”
mosquitto.conf
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
mosquitto-go-auth.conf
auth_plugin /home/Jonathan/go/src/github.com/iegomez/mosquitto-go-auth/go-auth.so
auth_opt_backends files, postgres, jwt
auth_opt_check_prefix false
allow_anonymous falseauth_opt_password_path /etc/mosquitto/mosquitto-go-auth/passwords
auth_opt_acl_path /etc/mosquitto/mosquitto-go-auth/aclsauth_opt_cache true
auth_opt_cache_reset true
auth_opt_cache_db 4auth_opt_pg_host localhost
auth_opt_pg_port 5432
auth_opt_pg_dbname chirpstack_as
auth_opt_pg_user chirpstack_as
auth_opt_pg_password as_password
auth_opt_pg_userquery select password_hash from “user” where username = $1 and is_active = true limit 1
auth_opt_pg_superquery select count(*) from “user” where username = $1 and is_admin = true
auth_opt_pg_aclquery select distinct ‘application/’ || a.id || ‘/#’ from “user” u inner join organization_user ou on ou.user_id = u.id inner join organization o on o.id = ou.organization_id inner join application a on a.organization_id = o.id where u.username = $1 and $2 = $2auth_opt_jwt_remote false
auth_opt_jwt_db postgres
auth_opt_jwt_secret my_secret
auth_opt_jwt_userquery select count() from “user” where username = $1 and is_active = true limit 1
auth_opt_jwt_superquery select count() from “user” where username = $1 and is_admin = true
auth_opt_jwt_aclquery select distinct ‘application/’ || a.id || ‘/#’ from “user” u inner join organization_user ou on ou.user_id = u.id inner join organization o on o.id = ou.organization_id inner join application a on a.organization_id = o.id where u.username = $1 and $2 = $2
auth_opt_jwt_userfield Username
/var/log/mosquitto/mosquitto.log
1574364603: mosquitto version 1.6.4 starting
1574364603: Config loaded from /etc/mosquitto/mosquitto.conf.
1574364603: Loading plugin: /home/Jonathan/go/src/github.com/iegomez/mosquitto-go-auth/go-auth.so
1574364603: ├── Username/password checking enabled.
1574364603: ├── TLS-PSK checking enabled.
1574364603: └── Extended authentication not enabled.
1574364605: Opening ipv4 listen socket on port 1883.
1574364605: Opening ipv6 listen socket on port 1883.
1574364606: New connection from 127.0.0.1 on port 1883.
1574364606: New client connected from 127.0.0.1 as auto-BD3B8F39-8556-1602-4179-A92E855C5833 (p2, c1, k30, u’chirpstack_as’).
1574364607: New connection from 127.0.0.1 on port 1883.
1574364608: New client connected from 127.0.0.1 as auto-944FFD09-F457-EBD5-9945-E16EB135F492 (p2, c1, k30, u’chirpstack_ns’).
1574364610: New connection from 99.92.122.150 on port 1883.
Chirpstack Application Server Output:
INFO[0000] starting ChirpStack Application Server docs=“https://www.chirpstack.io/” version=3.5.1
INFO[0000] storage: setting up storage package
INFO[0000] storage: setup metrics
INFO[0000] storage: setting up Redis pool
INFO[0000] storage: connecting to PostgreSQL database
INFO[0000] storage: applying PostgreSQL data migrations
INFO[0000] storage: PostgreSQL data migrations applied count=0
INFO[0000] integration/mqtt: TLS config is empty
INFO[0000] integration/mqtt: connecting to mqtt broker server=“tcp://localhost:1883”
INFO[0000] api/as: starting application-server api bind=“0.0.0.0:8001” ca_cert= tls_cert= tls_key=
INFO[0000] api/external: starting api server bind=“0.0.0.0:8080” tls-cert= tls-key=
INFO[0000] integration/mqtt: connected to mqtt broker
INFO[0000] integration/mqtt: subscribing to tx topic qos=0 topic=application/+/device/+/tx
INFO[0000] api/external: registering rest api handler and documentation endpoint path=/api
INFO[0000] api/js: starting join-server api bind=“0.0.0.0:8003” ca_cert= tls_cert= tls_key=
Chirpstack Network Server Output:
INFO[0000] starting ChirpStack Network Server band=US_902_928 docs=“https://www.chirpstack.io/” net_id=000000 version=3.4.1
INFO[0000] disabling all channels
INFO[0000] enabling channels channels=“[0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15]”
INFO[0000] storage: setting up storage module
INFO[0000] storage: setting up Redis connection pool
INFO[0000] storage: connecting to PostgreSQL
INFO[0000] storage: applying PostgreSQL data migrations
INFO[0000] storage: PostgreSQL data migrations applied count=0
INFO[0000] gateway/mqtt: connecting to mqtt broker server=“tcp://localhost:1883”
INFO[0000] no geolocation-server configured
INFO[0000] configuring join-server client ca_cert= server=“http://localhost:8003” tls_cert= tls_key=
INFO[0000] backend/gateway: connected to mqtt server
INFO[0000] gateway/mqtt: subscribing to gateway event topic qos=0 topic=gateway/+/event/+
INFO[0000] api: starting network-server api server bind=“0.0.0.0:8000” ca-cert= tls-cert= tls-key=
INFO[0000] starting downlink device-queue scheduler
INFO[0000] starting multicast scheduler
Chirpstack Gateway Bridge Output:
mtcdt:/home/mtadm# /opt/chirpstack-gateway-bridge/chirpstack-gateway-bridge -c /var/config/chirpstack-gateway-bridge/chirpstack-gateway-bridge.toml
INFO[0000] starting ChirpStack Gateway Bridge docs=“Introduction - ChirpStack open-source LoRaWAN<sup>®</sup> Network Server” version=3.4.1
INFO[0000] backend/semtechudp: starting gateway udp listener addr=“0.0.0.0:1700”
INFO[0000] integration/mqtt: connected to mqtt broker
INFO[0002] integration/mqtt: subscribing to topic qos=0 topic=“gateway/00800000a0004f68/command/#”
INFO[0009] integration/mqtt: publishing event event=stats qos=0 stats_id=a4911379-d9ee-4783-8c90-69063aaf51c9 topic=gateway/00800000a0004f68/event/stats
INFO[0030] integration/mqtt: publishing event event=up qos=0 topic=gateway/00800000a0004f68/event/up uplink_id=08cbefc3-dc56-47eb-96e8-613f861ccb34
INFO[0039] integration/mqtt: publishing event event=stats qos=0 stats_id=7f7f7443-bd45-4da7-957d-3dd73622b1bd topic=gateway/00800000a0004f68/event/stats
Thanks a lot for any feedback.