# 基于MySQL的MQTT連接認證實現
## 摘要
本文詳細探討了如何利用MySQL數據庫實現MQTT協議中的客戶端連接認證機制。內容涵蓋MQTT協議基礎、認證流程設計、MySQL數據庫建模、服務端實現方案(以EMQX為例)、性能優化策略及安全防護措施,為物聯網系統提供可落地的安全認證解決方案。
---
## 1. MQTT協議與認證機制概述
### 1.1 MQTT協議特點
MQTT(Message Queuing Telemetry Transport)作為輕量級的發布/訂閱模式消息協議,具有以下核心特性:
- 低帶寬消耗(最小報文僅2字節)
- 支持QoS等級(0-2級可靠性保障)
- 基于主題(Topic)的消息路由
- 持久會話保持能力
### 1.2 認證場景需求
在物聯網應用中,設備連接認證需要滿足:
- **設備級身份驗證**:防止非法設備接入
- **動態權限控制**:可隨時變更發布/訂閱權限
- **審計追蹤**:記錄設備連接日志
- **高并發處理**:支持海量設備同時認證
### 1.3 常見認證方式對比
| 認證類型 | 優點 | 缺點 |
|----------------|-----------------------|-----------------------|
| 匿名認證 | 零配置 | 無任何安全防護 |
| 靜態密碼文件 | 簡單易用 | 難以維護大量設備 |
| Redis認證 | 高性能 | 數據易失性 |
| MySQL認證 | 持久化/復雜查詢支持 | 需要優化查詢性能 |
---
## 2. MySQL數據庫設計
### 2.1 數據表結構
```sql
CREATE TABLE `mqtt_devices` (
`id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
`client_id` VARCHAR(64) NOT NULL COMMENT '設備唯一標識',
`username` VARCHAR(32) NOT NULL,
`password_hash` VARCHAR(128) NOT NULL COMMENT 'SHA-256加密',
`salt` CHAR(16) NOT NULL COMMENT '密碼鹽值',
`status` TINYINT DEFAULT 1 COMMENT '0-禁用 1-啟用',
`created_at` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`),
UNIQUE KEY `uk_client` (`client_id`),
UNIQUE KEY `uk_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
CREATE TABLE `mqtt_acl` (
`id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
`client_id` VARCHAR(64) NOT NULL,
`topic` VARCHAR(128) NOT NULL,
`access` TINYINT NOT NULL COMMENT '1-訂閱 2-發布 3-訂閱發布',
`qos` TINYINT DEFAULT 0,
`retain` BOOLEAN DEFAULT FALSE,
PRIMARY KEY (`id`),
KEY `idx_client` (`client_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
client_id建立覆蓋索引topic(64))erDiagram
mqtt_devices ||--o{ mqtt_acl : "1:N"
mqtt_devices {
bigint id PK
varchar(64) client_id
varchar(32) username
varchar(128) password_hash
char(16) salt
tinyint status
}
mqtt_acl {
bigint id PK
varchar(64) client_id FK
varchar(128) topic
tinyint access
}
emqx_auth_mysql插件:
./bin/emqx_ctl plugins load emqx_auth_mysql
etc/plugins/emqx_auth_mysql.conf:
“`properties
auth.mysql.server = 127.0.0.1:3306
auth.mysql.username = emqx
auth.mysql.password = xxxxxx
auth.mysql.database = iot_authauth.mysql.auth_query = SELECT password_hash, salt FROM mqtt_devices WHERE username = ‘%u’ LIMIT 1 auth.mysql.super_query = SELECT COUNT(*) FROM mqtt_superusers WHERE username = ‘%u’
auth.mysql.acl_query = SELECT topic, access, qos, retain FROM mqtt_acl WHERE client_id = ‘%c’ OR username = ‘%u’
### 3.2 密碼加密方案
推薦使用加鹽哈希:
```python
import hashlib
import os
def hash_password(password):
salt = os.urandom(16).hex()
iterations = 10000
key = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt.encode('utf-8'),
iterations
)
return f"pbkdf2${iterations}${salt}${key.hex()}"
auth.mysql.pool = 8
auth.mysql.pool_size = 32
SELECT SQL_CACHE * FROM mqtt_devices WHERE username = ?
auth.mysql.password_hash_redis_ttl = 3600
| 并發連接數 | MySQL QPS | 平均延遲 | 99分位延遲 |
|---|---|---|---|
| 1,000 | 1,200 | 12ms | 25ms |
| 5,000 | 5,800 | 15ms | 35ms |
| 10,000 | 9,500 | 18ms | 50ms |
CREATE TABLE `mqtt_login_attempts` (
`client_id` VARCHAR(64) PRIMARY KEY,
`attempts` INT DEFAULT 1,
`last_failed` TIMESTAMP
);
listener.ssl.external.keyfile = etc/certs/key.pem
listener.ssl.external.certfile = etc/certs/cert.pem
CREATE TABLE `mqtt_auth_logs` (
`id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
`client_id` VARCHAR(64),
`login_time` TIMESTAMP(3),
`is_success` BOOLEAN,
`remote_ip` VARCHAR(39),
PRIMARY KEY (`id`),
INDEX `idx_time` (`login_time`)
) ENGINE=InnoDB;
import paho.mqtt.client as mqtt
def test_auth():
client = mqtt.Client(client_id="test_device_001")
client.username_pw_set(
username="device_001",
password="correct_password"
)
client.connect("broker.example.com", 1883)
client.subscribe("sensor/001/temperature")
client.publish("sensor/001/temperature", "25.6")
