Add an option to allow client bypass auth plugins

etc/emqx.conf

@@ -849,6 +849,11 @@ zone.internal.ignore_loop_deliver = false
 ## Value: true | false
 zone.internal.strict_mode = false
 
+## Allow the zone's clients to bypass authentication step
+##
+## Value: true | false
+zone.internal.bypass_auth_plugins = true
+
 ##--------------------------------------------------------------------
 ## Listeners
 ##--------------------------------------------------------------------

priv/emqx.schema

@@ -939,6 +939,12 @@ end}.
   {datatype, {enum, [true, false]}}
 ]}.
 
+%% @doc Whether to bypass the authentication step
+{mapping, "zone.$name.bypass_auth_plugins", "emqx.zones", [
+  {default, false},
+  {datatype, {enum, [true, false]}}
+]}.
+
 {translation, "emqx.zones", fun(Conf) ->
   Mapping = fun("publish_limit", Val) ->
                     [L, D] = string:tokens(Val, ", "),

src/emqx_access_control.erl

@@ -34,11 +34,12 @@
 
 -spec(authenticate(emqx_types:clientinfo()) -> {ok, result()} | {error, term()}).
 authenticate(ClientInfo = #{zone := Zone}) ->
-    case run_hooks('client.authenticate', [ClientInfo], default_auth_result(Zone)) of
-        Result = #{auth_result := success} ->
-            {ok, Result};
-	    Result ->
-            {error, maps:get(auth_result, Result, unknown_error)}
+    AuthResult = default_auth_result(Zone),
+    case emqx_zone:get_env(Zone, bypass_auth_plugins, false) of
+        true ->
+            return_auth_result(AuthResult);
+        false ->
+            return_auth_result(run_hooks('client.authenticate', [ClientInfo], AuthResult))
     end.
 
 %% @doc Check ACL
@@ -81,3 +82,8 @@ default_auth_result(Zone) ->
 run_hooks(Name, Args, Acc) ->
     ok = emqx_metrics:inc(Name), emqx_hooks:run_fold(Name, Args, Acc).
 
+-compile({inline, [return_auth_result/1]}).
+return_auth_result(Result = #{auth_result := success}) ->
+    {ok, Result};
+return_auth_result(Result) ->
+    {error, maps:get(auth_result, Result, unknown_error)}.

test/emqx_access_control_SUITE.erl

@@ -52,6 +52,20 @@ t_check_acl(_) ->
 t_reload_acl(_) ->
     ?assertEqual(ok, emqx_access_control:reload_acl()).
 
+t_bypass_auth_plugins(_) ->
+    AuthFun = fun(#{zone := bypass_zone}, AuthRes) ->
+                      {stop, AuthRes#{auth_result => password_error}};
+                 (#{zone := _}, AuthRes) ->
+                      {stop, AuthRes#{auth_result => success}}
+              end,
+    ClientInfo = clientinfo(),
+    emqx_zone:set_env(bypass_zone, allow_anonymous, true),
+    emqx_zone:set_env(zone, allow_anonymous, false),
+    emqx_zone:set_env(bypass_zone, bypass_auth_plugins, true),
+    emqx:hook('client.authenticate', AuthFun, []),
+    ?assertMatch({ok, _}, emqx_access_control:authenticate(ClientInfo#{zone => bypass_zone})),
+    ?assertMatch({ok, _}, emqx_access_control:authenticate(ClientInfo)).
+
 %%--------------------------------------------------------------------
 %% Helper functions
 %%--------------------------------------------------------------------

test/emqx_logger_formatter_SUITE.erl

@@ -20,6 +20,7 @@
 -module(emqx_logger_formatter_SUITE).
 
 -compile(export_all).
+-compile(nowarn_export_all).
 
 -include_lib("eunit/include/eunit.hrl").
 -include_lib("common_test/include/ct.hrl").