How to configure emqx-auth-username plugin correctly (RELEASE 3.1)

[mbenitod]

Hello: I have upgraded from version 2.3 to release 3.1. In version 2.3 the plugin worked fine, and now in release 3.1 it doesn't work or I don't know how to configure it.

In version 2.3 I configured the plugin like this:

1. In emqx.conf: allow_anonymous = false

2. In emqx_auth_username.conf: auth.user.1.username = peter auth.user.1.password = pass1 auth.user.2.username = sophie auth.user.2.password = pass2

3. Loaded the plugin, restart and worked well

BUT:

In release 3.1 I configured the plugin like this:

1. In emqx.conf: allow_anonymous = false

2. In emqx_auth_username.conf:

   ## Password hash. ## ## Value: plain | md5 | sha | sha256 auth.user.password_hash = plain auth.user.1.username = peter auth.user.1.password = pass1 auth.user.2.username = sophie auth.user.2.password = pass2

3. Loaded the plugin, restart and doesn't work.

The error is: [error] You've tried to set auth.user.1.username, but there is no setting with that name. [error] Did you mean one of these? [error] auth.mysql.username [error] auth.pgsql.username [error] mqtt.sn.username [error] You've tried to set auth.user.1.password, but there is no setting with that name. [error] Did you mean one of these? ...

Please, how is the plugin configured correctly? I can't find information on how to do it.

Thanks for your support.

[HJianBo]

Hi, @mbenitod Sorry about that. We have removed the feature of configuring default username in the emqx_auth_username.conf file after v3.1-rc.2 version.

Now, you can manage the username items by CLI or REST API after loaded emqx_auth_username plugin:

i.e:

$ ./bin/emqx_ctl users

users list                                      # List users
users add <Username> <Password>                 # Add User
users update <Username> <NewPassword>           # Update User
users del <Username>                            # Delete User

[mbenitod]

Thank you so much for your attention. Your reply has helped me a lot. I tried the plugin and it works perfectly. Thank you. Good job!

[brunocpadua]

Hello,

I'm using EMQ inside a Docker container, and after you have removed the feature of configuring default username in the emqx_auth_username.conf, how to migrate the username/password set by CLI or REST API from an old container to a new container or a new Docker image version? Is there any file where this information is being saved?

Thanks!

[HJianBo]

Sorry, it gets trouble to you.

Maybe you can modify the start.sh of docker to call the CLI to add usernames after the emqx_auth_username started successfully.

[aisven]

I do not understand why one would remove this feature. I am not in favor of creating my own Docker Image just to add these users. They were so nicely add-able via mapped Docker Volume.

As in a docker-compose.yml it could have looked like this, a perfectly valid solution: - ./local/users/emqx_auth_username.conf:/opt/emqx/etc/plugins/emqx_auth_username.conf

[AaronAutomation]

Did anyone find a solution for this with Docker? I wasted hours before finding this thread... surely someone has come up with a solution for running EMQX in Docker and set anonymous connections to false. I'm pretty green unfortunately, will keep working on this in the meantime though.

[emqplus]

@AaronAutomation I reopened the issue first.

[rasaffie]

@AaronAutomation You need to create users by console:

docker-compose exec emqx /opt/emqx/bin/emqx_ctl users add $username $password

with your username and password (assuming that your docker service is called emqx).

Also, you may need to wait for EMQX to start before executing it.

[rasaffie]

My previous answer works for v3.2.2, but not for v3.2.5. In v3.2.5 the configuration with environment variable EMQX_ALLOW_ANONYMUS=false is not working: the server allows all connections. Is this change on purpose? I think it's a breaking change that should not be at a patch level.

Also, could you add a CHANGELOG.md to this repo? It's tedious to keep bumping on these changes.

[AaronAutomation]

Thanks rasaffie - I added the username/passwords to my start.sh file and rebuilt my own image. I was looking to test a scalable solution which wouldn't require creating username and passwords after emqx was running. You mentioned EMQX_ALLOW_ANONYMUS=false wasn't working in v3.2.5, I just wanted to note that there was a typo there and hopefully that wasn't the cause of your issue.

[rasaffie]

@AaronAutomation You are right, there is a typo in my configurations, my bad.

However it still does not work as expected: when I try to create users in v3.2.5 I get the message Node '[...]' not responding to pings instead of ok like when using v3.2.2. The server is running because in the output it prints the refused connections for the users. Also, it is strange that even with the typo in v3.2.2 connections without authentication are refused (maybe the default value for this configuration changed).

For creating users in a scalable way you can use something like wait-for-it or sleep before executing the commands. I think it's a messy solution and I would prefer to create users as it was before with the emqx_auth_username.conf file, but it's a work around.

[HJianBo]

Hi, guys. Thanks for your contributions! After our team discussion, we have restored this feature at v3.2.7. we have released it today

So, the feature is unavailable between v3.1.0-rc.2 - v3.2.6. I'm very sorry it gets trouble for you :(

[alexandrim0]

Thanks a lot! Very cool!

[alexandrim0]

Ooops!

I configure this plugin using env vars and it can read only 3 users. Is it bug?

[HJianBo]

@alexandrim0 Could you post your env vars example? and Have you try to confirm that the emqx_auth_username.conf has been written

[alexandrim0]

As I can see while emqx starts the entrypoint bash script parse only 3 of 6.

.env like this and also I had try exactly the same: EMQX_AUTHUSERPASSWORD_HASH=plain EMQX_AUTHUSER1USERNAME=user1 EMQX_AUTHUSER1__PASSWORD=password1 EMQX_AUTHUSER2USERNAME=user2 EMQX_AUTHUSER2PASSWORD=password2 EMQX_AUTHUSER3__USERNAME=user3 EMQX_AUTHUSER3PASSWORD=password3 EMQX_AUTHUSER4USERNAME=user4 EMQX_AUTHUSER4__PASSWORD=password4 EMQX_AUTHUSER5USERNAME=user5 EMQX_AUTHUSER5PASSWORD=password5 EMQX_AUTHUSER6__USERNAME=user6 EMQX_AUTHUSER6PASSWORD=password6

[alexandrim0]

It looks like this issue was resolved and should be close. The problem with entrypoint script opened here https://github.com/emqx/emqx/issues/3060

[alexandrim0]

It is uncool to mount file still even all other can be configured by envs. Also uncool to build custom image just to add one more user. Is it possible to add more users to source config? 10 would be nice as a workaround.

Thank you!

[alex-makrshakr]

Hi all,

It is uncool to mount file still even all other can be configured by envs.

I partially disagree with this since you can mount a file that is stored in a k8s secret, thus readable only with the people with the correct privilege (in a big team) instead of writing down env in the deployment file.

@alexandrim0 totally agree on everything else!

Alex

[alex-makrshakr]

Hi @HJianBo,

I'm encountering an issue in loading the emqx_auth_username.conf in a k8s cluster.

I'm loading the file form a k8s secret and mounting in read-only in /etc/plugins. EMQX version is v3.2.7.

When the containers load the file gets mounted correctly and I can read it's content. But no users is actually added by the plugin.

However, if set the variables as env: form the deployment yaml, the first three values are correctly loaded by the emqx_auth_username plugin (first three as stated by a previous post).

Any clue of what is going wrong here?

Thanks in advance.

[HJianBo]

I think the mounted path in emqx container should be /opt/emqx/etc/plugins/ not /etc/plugins?

[alex-makrshakr]

@HJianBo I thought that was the issue but I'm getting a strange behavior.

I pull the docker directly form dockerhub image (no custom build) and when I run it it has not /opt folder inside. And it works fine this way, by setting the users/password by env variables.

However, the moment I mount the file emqx_auth_username.conf in /opt/emqx/etc/plugins/, thus creating the /opt folder, the emqx crush on boot. These are the logs:

[HJianBo]

I guess it rewrites all files of /opt/emqx/etc/plugins/ directorys ?

Could you check whether the other conf files in the opt/emqx/etc/plugins/ has been lost?

[alex-makrshakr]

You are right! I was confusing the container and emqx etc directories. And you are also right: in k8s, any kind of volume, whether a secrets or a configMap, is mounted overwriting all files and subfolder in the path. I was able to find the solution with this thread and this gitHub solution.

The correct configuration to replace the single file is the following:

containers:
- volumeMounts:
  - name: emqx-users
    mountPath: /opt/emqx/etc/plugins/emqx_auth_username.conf
    subPath: emqx_auth_username.conf
volumes:
- name: emqx-users
   secret:
     secretName: emqx-users

Thank you for the help!

Works like a charm now.

[chidu-arch]

Hi Guys, I am quite new to emq, please help me out. Have enabled auth_username plugin , when "auth.user.password_hash = plain" is used it works seamlessly, but when "auth.user.password_hash = sha256" is used it is not working.

Example: I have set the password as "public" , corresponding sha256 hash "efa1f375d76194fa51a3556a97e641e61685f914d446979da50a551a4333ffd7" but when I give this hashed password it is not getting authenticated.

Basically apart from plain nothing else is working, am I doing something wrong here ?

Regards

[docaustyne]

I have this problem too and for two days, its been madness. the worst is not knowing why IP:1883 wont even accept connections, my setup is with EMQX server, on the url, I can see all the request, there is nothing I have not done, I have internal pointing to 127.0.0.1:11883, external pointing to 0.0.0.0:1883, but I cannot even reach the mqtt service, my emqx dashboard loads fine, i can login.

[jayjupdhig]

All that things are VERY VERY confusing in my opinion... -> https://github.com/emqx/emqx/issues/6015

[sudhakarreddy-boilla]

how to change emqx default password through emqx docker compose.yaml file.in that yaml file i am also using EMQX_DASHBOARD__DEFAULT_USER__PASSWORD env variable.

[k32]

@Boillasudhakarreddy This repo is no longer actively maintained, since the plugins were moved to the emqx monorepo. Could you please repeat this question in the discussions here: https://github.com/emqx/emqx/discussions Please don't forget to specify the version of EMQX broker that you're using

[jayjupdhig]

Another question: What about Beta Version 5.x? Maybe it is now possible to add users and configure their credentials in the new 5.x Web GUI? If yes, then i would like to test it. When i see some issues, i can help to improve it.

Thank you very very much for your feedback! :-)

[jayjupdhig]

?

[k32]

Could you please repeat the question here: https://github.com/emqx/emqx/discussions ?

[kosuodhmwa]

Thank you for your feedback - done!! :-) -> https://github.com/emqx/emqx/discussions/7065