Add basic permissions and security

This commit adds configuring some basic security. It enables
anonymous read only access (which is important for this use case)
also setups a privileged user which has global readwrite on the
broker. Eventually we can move to a more fine grained permission
model with per service and per topic write permission, but this is
a sane starting point.

Change-Id: I546007f1f4fc57d9edd54294a27c2cd726a134db

manifests/server.pp

@@ -18,14 +18,40 @@ class mosquitto::server (
   $pid_file = '/var/run/mosquitto.pid',
   $log_file = '/var/log/mosquitto/mosquitto.log',
   $persistence_location = '/var/lib/mosquitto/',
+  $infra_service_username = 'infra',
+  $infra_service_password,
 ) {
 
+  file {'/etc/mosquitto/infra_service.pw':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    replace => true,
+    require => Package['mosquitto'],
+  }
+
+  exec {'passwd_file':
+    command => "/usr/bin/mosquitto_passwd -b /etc/mosquitto/infra_service.pw ${infra_service_username} ${infra_service_password}",
+    require => File['/etc/mosquitto/infra_service.pw']
+  }
+
+  file {'/etc/mosquitto/infra_service.acl':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    replace => true,
+    content => template('mosquitto/mosquitto.acl.erb'),
+    require => Exec['passwd_file'],
+  }
+
   file {'/etc/mosquitto/mosquitto.conf':
     ensure  => present,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
     content => template('mosquitto/mosquitto.conf.erb'),
-    require => Package['mosquitto'],
+    require => File['/etc/mosquitto/infra_service.acl'],
   }
 }

templates/mosquitto.acl.erb

@@ -0,0 +1,4 @@
+topic read #
+
+user <%= @infra_service_username %>
+ topic readwrite #

templates/mosquitto.conf.erb

@@ -595,7 +595,8 @@ log_dest file <%= @log_file %>
 #
 # pattern write sensor/%u/data
 #
-#acl_file
+acl_file /etc/mosquitto/infra_service.acl
+password_file /etc/mosquitto/infra_service.pw
 
 # -----------------------------------------------------------------
 # Authentication and topic access plugin options