Authorizing MQTT clients to access IBM MQ objects

Follow these steps to authorize MQTT clients to publish and subscribe to IBM MQ Objects. The steps follow four alternative access control patterns.

Before you begin

MQTT clients are authorized to access objects in IBM MQ by being assigned an identity when they connect to a telemetry channel. The IBM MQ Administrator configures the telemetry channel using IBM MQ Explorer to give a client one of three types of identity:

1. ClientIdentifier
2. Username
3. A name the administrator assigns to the channel.

Whichever type is used, the identity must be defined to IBM MQ as a principal by the installed authorization service. The default authorization service on Windows or Linux is called the Object Authority Manager (OAM). If you are using the OAM, the identity must be defined as a user ID.

Use the identity to give a client, or collection of clients, permission to publish or subscribe to topics defined in IBM MQ. If an MQTT client has subscribed to a topic, use the identity to give it permission to receive the resulting publications.

It is hard to manage a system with tens of thousands of MQTT clients, each requiring individual access permissions. One solution is to define common identities, and associate individual MQTT clients with one of the common identities. Define as many common identities as you require to define different combinations of permissions. Another solution is to write your own authorization service that can deal more easily with thousands of users than the operating system.

We can combine MQTT clients into common identities in two ways, using the OAM:

1. Define multiple telemetry channels, each with a different user ID that the administrator allocates using IBM MQ Explorer. Clients connecting using different TCP/IP port numbers are associated with different telemetry channels, and are assigned different identities.
2. Define a single telemetry channel, but have each client select a Username from a small set of user IDs. The administrator configures the telemetry channel to select the client Username as its identity.

In this task, the identity of the telemetry channel is called mqttUser, regardless of how it is set. If collections of clients use different identities, use multiple mqttUsers, one for each collection of clients. As the task uses the OAM, each mqttUser must be a user ID.

In this task, we have a choice of four access control patterns that we can tailor to specific requirements. The patterns differ in their granularity of access control.

• No access control
• Coarse-grained access control
• Medium-grained access control
• Fine-grained access control

The result of the models is to assign mqttUsers sets of permissions to publish and subscribe to IBM MQ, and receive publications from IBM MQ.

No access control

MQTT clients are given IBM MQ administrative authority, and can perform any action on any object.

Procedure

1. Create a user ID mqttUser to act as the identity of all MQTT clients.
2. Add mqttUser to the mqm group; see Add a user to a group on Windows , or Add a user to a group on Linux

Coarse-grained access control

MQTT clients have authority to publish and subscribe, and to send messages to MQTT clients. They do not have authority to perform other actions, or to access other objects.

Procedure

1. Create a user ID mqttUser to act as the identity of all MQTT clients.
2. Authorize mqttUser to publish and subscribe to all topics and to send publications to MQTT clients.

   setmqaut -m qMgr -t topic -n SYSTEM.BASE.TOPIC -p mqttUser -all +pub +sub
   setmqaut -m qMgr -t q -n SYSTEM.MQTT.TRANSMIT.QUEUE -p mqttUser -all +put
   

Medium-grained access control

MQTT clients are divided into different groups to publish and subscribe to different sets of topics, and to send messages to MQTT clients.

Procedure

1. Create multiple user IDs, mqttUsers, and multiple administrative topics in the publish/subscribe topic tree.
2. Authorize different mqttUsers to different topics.

   setmqaut -m qMgr -t topic -n topic1 -p mqttUserA -all +pub +sub
   setmqaut -m qMgr -t topic -n topic2 -p mqttUserB -all +pub +sub
   

3. Create a group mqtt, and add all mqttUsers to the group.
4. Authorize mqtt to send topics to MQTT clients.

   setmqaut -m qMgr -t q -n SYSTEM.MQTT.TRANSMIT.QUEUE -p mqtt -all +put
   

Fine-grained access control

MQTT clients are incorporated into an existing system of access control, that authorizes groups to perform actions on objects.

About this task

A user ID is assigned to one or more operating system groups depending on the authorizations it requires. If IBM MQ applications are publishing and subscribing to the same topic space as MQTT clients, use this model. The groups are referred to as Publish X, Subscribe Y, and mqtt

Publish X

Members of Publish X groups can publish to topicX.

Subscribe Y

Members of Subscribe Y groups can subscribe to topicY.

mqtt

Members of the mqtt group can send publications to MQTT clients.

Procedure

1. Create multiple groups, Publish X and Subscribe Y that are allocated to multiple administrative topics in the publish/subscribe topic tree.
2. Create a group mqtt.
3. Create multiple user IDs, mqttUsers, and add the users to any of the groups, depending on what they are authorized to do.
4. Authorize different Publish X and Subscribe X groups to different topics, and authorize the mqtt group to send messages to MQTT clients.

   setmqaut -m qMgr -t topic -n topic1 -p Publish X -all +pub
   setmqaut -m qMgr -t topic -n topic1 -p Subscribe X -all +pub +sub
   setmqaut -m qMgr -t q -n SYSTEM.MQTT.TRANSMIT.QUEUE -p mqtt -all +put