What is New in HiveMQ 4.7?
Written by Magi Erber
Category: HiveMQ Release
Published: September 14, 2021
The HiveMQ team is pleased to announce the release of HiveMQ 4.7. This feature release is packed with new features and improvements that allow for easier management of cloud native deployments, adds additional enterprise security functionality, brings major improvements to HiveMQ Swarm, the industry’s first scenario-based MQTT load & reliability testing tool.
HiveMQ 4.7 focuses on three main themes: easier operations for cloud native deployments, improved enterprise security, and HiveMQ Swarm upgrades. Here are the highlights:
- Easier Operations for Cloud Native Deployments
- Machine-Readable Logs that allow for out-of-the-box integration with centralized log systems like the Elastic Stack, Splunk, Loki and others
- Massive Kubernetes Operator improvements, like Openshift readiness, state-of-the-art security practices and additional flexibility
- Improved Enterprise Security
- Control Center integration with single-sign-on providers (like Okta, Forgerock, Keycloak, Auth0 and others)
- Upgrades to the Enterprise Security Extensions, like file-based authorization for the Control Center and MQTT clients and a new Case Conversion Preprocessor
- HiveMQ Swarm Upgrade
- WebSocket Support, which allows for testing millions of MQTT devices or apps that connect over websockets
- Support for abnormal MQTT client disconnection behavior
- Added Last-Will-and-Testament support for HiveMQ Swarm scenarios
Easier Operations for Cloud Native Deployments
Machine Readable Logs
HiveMQ 4.7 supports machine-readable log files, which allows for easy integration into centralized log management and analytics like Elastic Stack, Splunk, Loki or Datadog. The log files use JSON and can be used out-of-the-box with any log shipper. Machine-readable logging adds additional metadata to the log files that apply to the context of the log message, like “client identifier”, “ip address”, “topic” and many other fields. This allows for easy queries in the centralized log management system, so operators can filter easily for events for specific MQTT clients, or alert if specific events happen for MQTT clients. Check the documentation for learning more about all the fields that can be used out-of-the-box.
Machine-readable logs are available for the following log files:
Machine-readable logs make it very easy to integrate with an existing centralized log management stack and together with the best-in-class monitoring integration of HiveMQ, observability of complex and large scale MQTT deployments was never easier.
Kubernetes Operator Improvements
A major focus of the HiveMQ 4.7 release is the ease of operations. For users utilizing Kubernetes, the best way to deploy and operate HiveMQ is the Kubernetes Operator, which allows for easy and fault-tolerant operations, as well as upgrade and maintenance of HiveMQ deployments on Kubernetes. This release brings major improvements to the Kubernetes operator and focuses heavily on customization and flexibility.
The main new features of the HiveMQ Kubernetes Operator include:
- Full RedHat Openshift support
- General availability of stateful set support for better control over cloud provider disk provisioning (like IOPS)
- Better parametrisation of scheduling options and pod settings for maximum flexibility in your deployment. Many parameters are supported, including Pod Labels, Pod Annotations and sidecars. The full list is available here
- Environment variables can now be set directly from secret objects. This is useful for cases where it’s not desirable to have secrets like Java keystore passwords for certificate management
- All containers now run in rootless mode
All changes can be found in the operator and Helm Chart changelog.
SSO for Control Center
Enterprise Security support is key for many professional MQTT deployments. The powerful HiveMQ Control Center is used by administrators for management and troubleshooting of the MQTT brokers as well as for troubleshooting unexpected MQTT client behavior at scale. A first-class integration with the Enterprise Security Extension allows to centrally manage, add and remove credentials and use role based access control mechanisms. In HiveMQ 4.7, we added the ability to integrate with single-sign-on (SSO) providers to allow for easy, role based access to the control center. This allows enterprise customers to use their existing SSO solution without the need of maintaining separate users for the HiveMQ Control Center. Any OAuth 2.0 provider that supports the Authorization Code Flow is supported, including:
The SSO for Control Center is available via the Enterprise Security Extension, and the documentation can be found here.
File Based Authorization
Another major feature that was added to HiveMQ 4.7 is the ability to use File Based Authorization mechanisms for MQTT clients as well as Control Center users. While usually each MQTT client (and also Control Center user) uses a distinct credential pair (or some more advanced authentication mechanisms like X509 client certificates), the permissions based on roles are similar. The traditional way is to use a centralized store, like a database or LDAP for storing permissions and roles. This is especially useful if this is dynamic. Especially for Industrial IoT use cases, roles are pretty static. For this kind of situations we added the ability to use file based authorization. It’s possible to use this new authorization method for role based permissions or user based permissions.
HiveMQ Swarm is the industry’s first MQTT load & reliability testing tool that enables organizations of all sizes to reliably simulate and test IoT applications at any scale, on any environment or level of complexity. And it just got better with this release. We recently introduced the tool, and we received so much feedback that this is a complete game changer for quality assurance, end-to-end MQTT infrastructure testing as well as capacity planning. We added the following features for this release, based on many requests and customer conversations:
- Websocket Support: HiveMQ Swarm now supports testing of MQTT clients that connect via websockets to the broker. This is useful for (web) applications but also MQTT clients that use WebSocket transport for a variety of reasons. Of course WebSockets over TLS is also fully supported.
- Support simulation of abnormal MQTT client disconnection behavior: Testing for failure scenarios is important. With this release we added the ability to test abnormal MQTT client behavior, e.g. half open socket support, TCP socket closing and other strategies. Ever wondered how your infrastructure would behave if clients just wouldn’t send back data packets, but appear to be online? This can be tested now with HiveMQ Swarm.
- LWT support: HiveMQ Swarm now also supports Last-Will-and-Testament for connecting to MQTT brokers. This is a popular MQTT feature, and HiveMQ Swarm users can now parametrize all aspects of the LWT behavior.
Other Noteworthy Features and Improvement
Besides performance and stability improvements, we also added the following features and improvements
- Dynamic Connect Overload Protection: The HiveMQ Overload Protection helps to prevent cascading failures and allows for seamless service degradations with affecting the minimal amount of MQTT clients in failure scenarios (e.g. when cloud infrastructure degrades). This release also adds support for stopping reconnect storms in case a large amount of MQTT clients reconnect at the same time by applying a dynamic connect overload protection, and only allow clients to connect if enough resources are available.
- New Case Conversion Preprocessor for Enterprise Security Pipelines: The Enterprise Security Extension allows to convert data read from one realm (e.g. database) before it proceeds with the data. This release brings a new Case Conversion Preprocessor that allows to use uppercase or lowercase modifications to any text data.
- Enterprise SDK APIs for Custom Control Center Authentication: Users of the Enterprise SDK can now also hook in their own control center authentication methods. Any standard or non-standard authentication methods can be implemented with ease. Feel free to talk to us!