Authentication

🔐 Authentication & Authorization

🧩 Overview

MAPS Messaging provides a pluggable authentication system that supports multiple identity models. The system is modular, allowing administrators to define default authentication strategies and override them per interface or protocol.

Authentication and user identity handling is configured via the SecurityManager.yaml file and referenced throughout the NetworkManager.yaml and NetworkConnectionManager.yaml interfaces via the auth field.

🔒 SecurityManager Configuration

Defined in SecurityManager.yaml:

SecurityManager:
  default: PublicAuthConfig
  usernamePassword: UsernamePasswordLoginModule

📘 Explanation

Field	Description
`default`	The fallback or anonymous/default authentication strategy.
`usernamePassword`	A login module that enables standard username/password authentication.

This configuration declares two authentication mechanisms:

PublicAuthConfig: typically allows public, non-authenticated access (used for open endpoints or testing).
UsernamePasswordLoginModule: enables user-based login, likely backed by an internal user store or identity provider.

🔐 You can add or customize additional login modules to support OAuth, LDAP, or certificates.

🔗 Using `auth` in Interfaces

Every network interface can reference a security mechanism via the auth or sasl fields.

Example – MQTT over TCP

- name: "TCP MQTT Interface"
  url: tcp://:::1883/
  protocol: mqtt
  auth: usernamePassword

This references the UsernamePasswordLoginModule for authentication.

Example – AMQP with SASL

- name: "AMQP Interface"
  url: tcp://:::5672/
  protocol: amqp
  sasl:
    mechanism: "SCRAM-SHA-512"
    identityProvider: system

This uses SASL (Simple Authentication and Security Layer) with SCRAM for robust authentication, typically used in AMQP.

👤 User Mapping & Tenancy

User-to-namespace mappings are defined in TenantManagement.yaml, which determines what resources a user can access. This acts as an authorization layer.

Example:

- name: matthew
  namespaceRoot: /
  scope: user

This allows the user matthew access to all queues/topics.

Another user could be scoped to a restricted namespace:

- name: default
  namespaceRoot: /
  scope: user

✅ Best Practices

Always use usernamePassword or sasl on external interfaces to prevent unauthorized access.
Use default: PublicAuthConfig only for internal or development environments.
Combine authentication (SecurityManager) with strict namespace isolation (TenantManagement) for secure multi-tenant setups.
Use secure transport (TLS/DTLS) with authentication for all untrusted networks.

🔐 Authentication & Authorization​

🧩 Overview​

🔒 SecurityManager Configuration​

📘 Explanation​

🔗 Using auth in Interfaces​

Example – MQTT over TCP​

Example – AMQP with SASL​

👤 User Mapping & Tenancy​

Example:​

✅ Best Practices​