Pub Sub Security - An EFPF Innovation
To enable asynchronous, service-to-service communication following the publish-subscribe messaging pattern, a RabbitMQ message broker is provided as part of the EFPF platform’s Data Spine. The access to the Data Spine (and its various components) is managed by the KeyCloak-based Identity Management Service.
The EFPF project partners investigated various RabbitMQ plugins that can enable authorization and authentication through the Keycloak Server. However, it was found that enabling the available plugins would create a reliance of the EFPF Data Spine on external, proprietary components for authorization decisions while also increasing latency.
To enable the synchronization of user accounts between the EFPF platform and RabbitMQ (as a component of Data Spine), and allow users to interact with the platform-level message broker through the inherent Single-Sign-On mechanism, the project has designed and developed a Pub Sub Security Service.
The Pub Sub Security Service is a web client application that allows users to interact with the EFPF Message Broker. The service provides an Graphic User Interface, accessible through the EFPF Portal, which consists of 3 core capabilities: Resource Management, Topic & Permissions Management, and Monitoring.
Within EFPF there 4 distinct asset types that have been determined to require publish or subscribe access to the EFPF Message Broker or Message Bus. These are Tools, Services, Factory Connectors and integration flows, that are collectively considered as “Resources” within the Pub Sub Security Service. The resource management capabilities provide the ability to view or register resources that require access to the Message Bus while also providing the ability to indicate whether related topic data can be publicly discovered by other users who may request permission to subscribe to the topic. Alongside this, the resource management capability provides the ability to add a geolocation to a resource, for geographic based resources such as Factory Connectors or IoT Gateways.
The Topic and Permission Management capabilities within the Pub Sub Security Service provide EFPF users with the ability to create, publish and manage topics for their registered resources. A web-page is also provided to allow for the discovery or viewing of managed topics or those marked public by other users. In this page, users can request permission to publish or subscribe to the topics listed from the topic owner and also download the credentials and configuration details needed to connect to the topic through a MQTTS or AMQPS connection. Alongside this, an admin page is provided for topic owners, that allows for the management of permission requests to owned topics. This includes the ability to approve and reject request and also to revoke the permissions of approved requests. Within the Pub Sub Security Service, topic creation follows the sparkplug naming convention and this is enforced within the application.
The Pub Sub Security Service then provides monitoring capabilities through a dedicated web-page, which can provide users with an overview of their managed resources and topics and topics in which they have publish or subscribe permission. To provide an insight into the tool and its user interface, a screenshot of the “View Topics” page has been included below.
With the above features, the Pub Sub Security Service can be seen as a niche innovation within the EFPF Platform as it introduces a security and privacy layer, which is typically missing in the open-source message brokers such as RabbitMQ. More details about the Pub Sub Security Service are available on the EFPF Documentation Portal: https://docs.efpf.linksmart.eu/