MQTT v2 - How can I separate the user / password from the .things file

my question is about .things and possibly .cfg and not .rules, please kindly point me to the right place to post it if this is not the right one, TIA

So I finally migrated my MQTT use from the old 1.-Binding to the newer one and everything appears to run smoothly, just one bit irritates me:

with the prior config I had the secrets like mqtt user, password, server in a file for themselves in services/mqtt.cfg. Nice for working with github, one line in the .gitignore file and all the secrets stay at home.
But now it is all merged together in the .things file, I have a mqttConnections.things that looks like this:


Bridge mqtt:broker:mqBroker [ host="192.168.123.45",secure=false, username="oho", password="so_secret"$
{
    Thing topic sensors "mqSensors" {

        Channels:
             ...
             ...

        }
}

Is there an easy way to keep secrets and details separate?
The same goes for my hue.things…
Thanks for any pointers!

Short answer is no. I’ve seen some discussion about a way to support secrets in OH but at this time the username and password has to be defined on the Thing.

But, you can define that Bridge thing in it’s own .things file and configure your .gitignore as appropriate.

2 Likes

Like Rich said, there is no option to separate secrets in their own include file (like HA does) and exclude them or otherwise secure them.

Besides excluding files, there is an - be it somewhat more involved - alternative option to use git-crypt to automatically encrypt/decrypt specified files or directories containing secrets when pushing/pulling to/from a Git server (like Github).

2 Likes

oh, well…
I was hoping to get a different answer but thank both of you for the fast replies!

I would very much like to see this implemented as well. I have an Arduino set up via MQTT to report my garage door status to openHAB, and I have a separate secrets file in the Arduino project for MQTT credentials, as well as the Wi-Fi password. I would like to do the same in openHAB, not only for MQTT Things, but also my IP camera credentials.

Do you know about setting a bounty for new features?

I do not, though a quick search found BountySource, is this what you mean?

Yes with the idea that multiple people can add a bounty and draws the attention to a feature with a reward. Openhab 3 is bringing more security features just not sure what they will be.

Great, thanks for the heads-up.

I’ve solved this issue by using Maven and using maven-resources-plugin to filter the configuration files. This way, I can put my configuration files into github and configure the sensitive information, like usernames, passwords, home locations, etc. into a separate maven profile, which can be configured in ~/.m2/settings.xml.

Another nice thing is that I can do an auto-deploy to my openhab test environment, which is hooked into the maven lifecycle.

I’ve added my pom.xml as an attachment as an example. The idea is that the sources are placed under src/config and after executing ‘mvn package’ the configuration files, which now includes the sensitive data, are written to target/config.

When you want to auto-deploy the configuration files to your openhab server, you just have to execute ‘mvn deploy -P local,deploy-to-openhab’, where ‘local’ is the profile that’s configured in settings.xml which holds all the parameter values.

pom.xml (4.5 KB)

1 Like