Redis authentication uses an external Redis database as the authentication data source, which can store a large amount of data and facilitate integration with external device management systems.
The emqx_auth_redis lso includes ACL feature, which can be disabled via comments
To enable Redis authentication, you need to configure the following in
# Redis connection information
For Redis basic connection information, it needs to ensure that all nodes in the cluster can access.
# etc/plugins/emqx_auth_redis.conf ## Server address auth.redis.server = 127.0.0.1:6379 ## Connection pool size auth.redis.pool = 8 auth.redis.database = 0 auth.redis.password =
# Default table structure
A hash table is used to store authentication data by default for Redis authentication, and
mqtt_user: is used as the Redis key prefix. The data structure is as follows:
redis> hgetall mqtt_user:emqx password public salt wivwiv
The sample data in the default configuration is as follows:
HMSET mqtt_user:emqx password public salt wivwiv
After Redis authentication is enabled, you can connect with username: emqx, password: public.
This is the data structure used by default configuration. After being familiar with the use of the plugin, you can use any data structure that meets the conditions for authentication
# Salting rules and hash methods
Redis authentication supports the configuration of salting rules and hash methods, and plaintext passwords are stored without processing by default:
# etc/plugins/emqx_auth_redis.conf auth.redis.password_hash = plain
# auth query cmd
During authentication, EMQX Broker will use the current client information to populate and execute the user-configured authentication query command to query the client's authentication data in the Redis.
# etc/plugins/emqx_auth_redis.conf auth.redis.auth_cmd = HMGET mqtt_user:%u password
You can use the following placeholders in the command, and EMQX Broker will be automatically populated with client information when executed:
- %c：Client ID
- %C：TLS certificate common name (the domain name or subdomain name of the certificate), valid only for TLS connections
- %d：TLS certificate subject, valid only for TLS connections
You can adjust the authentication query command according to your business needs and use any Redis supported command (opens new window). However, in any case, the authentication query command must meet the following conditions:
- The first data in the query result must be password. EMQX Broker will use this field to compare with the client password.
- If the salting configuration is enabled, the second data in the query result must be the salt field. EMQX Broker will use this field as the salt value.