-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MQTT Broker within FlowForge #464
Comments
Some simple options could be, the Aedes node within Node-RED provides a broker inside NR |
I believe this basically means giving each project their own IP address which I don't think i feasible (Given cost of buying IPv4 address ranges these days). |
doesn't have to be a whole IP address, each project could just be given a single random port. |
or possibly using SNI if connections were all TLS |
The comment was in regard to the the generic TCP access problem, not specifically MQTT. We will need to look at the options for none HTTP load balancing (this is how K8s talks about this stuff) in AWS EKS |
Host a broker cluster and give each project a mount point. we can surely make the subscribe connection to a broker from a project right? |
If this issue is still being discussed, I think a simple solution would be to host a broker cluster, it doesnt matter where it is, as long as we can expand to additional compute resources. we ingress everything using a dns address, |
@knolleary Would appreciate your thoughts here. In general I tend to understand this as: #464 (comment) We should ship 0.7 with a Bring your own broker, but a working version for FF.cloud. |
We need to be very careful to not think BYOB solves this properly. For a FF Enterprise install, the customer can of course choose to run their own MQTT broker and use the standard MQTT nodes in NR to communicate with it. That is one valid definition of BYOB. However it does make the significant assumption that they implement their own security on the broker - controlling what credentials can publish/subscribe to what topics spaces. When it comes to FF.cloud - we need to get the security model right from the start and it must be integrated with the Team/Project security model. To implement the magic 'communicate between projects' nodes, we need to provide credentials for those nodes to connect to the appropriate broker. If this was running entirely inside FF.cloud (where the end user doesn't have access to the underlying credentials etc inside the container) then we could do the appropriate MQTT topic handling in the nodes to keep it secure. The problem comes when you consider Devices - which we definitely do want to consider here. This is because the code is running outside of FF.cloud - so the credentials to connect to the broker are outside of our control. Those credentials must only allow the the client using them to use very specific MQTT topics. Otherwise it would be able to subscribe to any messages on the broker and snoop on what is being sent by anyone. The point I'm getting to is we need much more than 'just run our own mqtt broker in ff.cloud'. We need to integrate it in such a way to be able to provision new credentials on the broker for each project and device, with suitable topic access control in place to restrict what it can do. That type of integration is going to be specific for the flavour of MQTT broker we use - and is critical to get right. On the basis that we definitely want to go in this direction, the next steps are:
|
Figma design doc (sharing ahead of a design working session, so currently no content to see...) - https://www.figma.com/file/BODuex2gt5E3d1KG4sXgAn/MQTT-Broker?node-id=0%3A1 |
updated 21/7
|
21-Jun edit - ignore this comment. We're not using mosquitto-dynamic-security, so this list of users/roles/groups is outdated. Out dated comment - leaving for future referenceOn the working assumption we'll use mosquitto as the broker of choice initially, we need to map the above table of topics to mosquitto users/roles/groups.Roles
Groups
17-Jun: Current plan is to skip groups and assign roles to clients directly.
|
Just adding some notes on pricing for this: The MQTT Broker itself will make possible 3 different user facing features:
1 is part of devices and will not be charged for separately so should be availble to all teasm |
A consequence of 2 is the need to introduce team tiers before we do this work. We can still do the technical work (and there is a lot of it to be done - possibly more than we can contain in one release) to add an MQTT broker to the environment for 0.7, but we won't have any new features to talk about for end-users. |
Yes 2 also depends on the custom nodes, #662 so there may be something to consider there, or we may want to delay that work |
We are shifting over to using The table of topics is still valid (#464 (comment)) To aid with efficient ACL handling, the usernames for the clients will include the team and object id in them:
That allows the ACL check to verify the a project is accessing the right team topic space by comparing the team in the username with the topic component - without any db lookup needed. In the device case, we just have to verify the device is assigned to the project it is trying to publish/subscribe on behalf of. |
MQTT broker URLS. Been thinking and playing. Current thinking is that we should have 2, internal and external. Internal will be used by projects, External will be used by Devices. For all all the Container drivers it makes sense to keep the comms inside the system (both speed and cost). Internal
No need for TLS/SSL (yet) as all running on loopback or inside the Container Orchestration system External
This automatically handles WSS and means we don't need to work out how to expose arbitrary TCP services |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
I have a working version of the helm chart that adds the broker and configures it. It exposes the broker as a http/websocket endpoint. Will look at the docker-compose next, but it should be basically very similar. |
I've updated the topic table in #464 (comment) so that devices can subscribe to a common command topic for a given project - whilst allowing the launcher to have its own separate command/status topic space. |
Can this be closed now? |
Description
To improve the efficiency of how launchers/devices report status and receive commands, we want to introduce an MQTT Broker into the FlowForge architecture. It will also enable a custom set of nodes described in #662 to provide seamless cross-project communication.
This story does not cover external usage of the broker. See #738 for the story covering that
The text was updated successfully, but these errors were encountered: