Access to topic ' ' in exchange 'amq.topic' in vhost '/' refused for user Publish/subscribe MQTT
2,764 views
Skip to first unread message
Sachin Deshpande
Mar 30, 2018, 4:49:41 AM3/30/18
to rabbitmq-users
Hello All,
I am able to connect to the Rabbitmq 3.7.4 with mqtt plugin enabled.
Now I am trying to publish the data from remote client (Mqtt.fx). I am publishing the data with topic home/garden/fountain.
On the rabbitmq side I have created the user mqtt-test. Have set the permission for amq.topic exchange as below
| Virtual host | Configure regexp | Write regexp | Read regexp | |
|---|---|---|---|---|
| / | .* | .* | .* |
Created the queue mymqtt-queue. Added binding to this queue with exchange amq.topic.
When I try to publish / subscribe the from Mqtt client then I get the following error (rab...@tmt01-a.log) and the client disconnects.
2018-03-30 13:20:10.206 [info] <0.4180.0> MQTT vhost picked using plugin configuration or default
2018-03-30 13:20:10.208 [info] <0.4180.0> accepting MQTT connection <0.4180.0> (192.168.2.11:62021 -> 192.168.2.28:1883)
2018-03-30 13:20:11.522 [error] <0.4180.0> operation resulted in an error (access_refused): "access to topic 'home.garden.fountain' in exchange 'amq.topic' in vhost '/' refused for user 'mqtt-test'"
~
Can you please let me know where I am going wrong and how to resolve the issue ?
Thanks and Regards
Sachin
Arnaud Cogoluègnes
Mar 30, 2018, 8:30:08 AM3/30/18
to rabbitm...@googlegroups.com
How do specify which user you're using? There are several ways to do so, have a look at the plugin documentation [1].
Please post also the broker configuration and the client code.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Sachin Deshpande
Apr 1, 2018, 4:18:58 AM4/1/18
to rabbitm...@googlegroups.com
I still unable to publish / subscribe the data.. Can you please let me know what I am missing.
Sachin
On Fri, 30 Mar 2018, 19:12 Sachin Deshpande, <deshpan...@gmail.com> wrote:
Hello,I am using Mqtt.fx client on windows. It has the option of specifying the user. There I have configured the IP address and port of the server and also the user configuration (user: mqtt-test and password: ******)Here is the report for the serverroot@tmt01-a:~# rabbitmqctl reportReporting server status of node rabbit@tmt01-a ...Status of node rabbit@tmt01-a ...[{pid,2457},{running_applications,[{rabbitmq_management,"RabbitMQ Management Console","3.7.4"},{rabbitmq_management_agent,"RabbitMQ Management Agent","3.7.4"},{rabbitmq_mqtt,"RabbitMQ MQTT Adapter","3.7.4"},{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.7.4"},{rabbit,"RabbitMQ","3.7.4"},{amqp_client,"RabbitMQ AMQP Client","3.7.4"},{rabbit_common,"Modules shared by rabbitmq-server and rabbitmq-erlang-client","3.7.4"},{xmerl,"XML parser","1.3.16"},{cowboy,"Small, fast, modern HTTP server.","2.2.2"},{ranch_proxy_protocol,"Ranch Proxy Protocol Transport","1.4.4"},{ranch,"Socket acceptor pool for TCP protocols.","1.4.0"},{ssl,"Erlang/OTP SSL application","8.2.4"},{public_key,"Public key infrastructure","1.5.2"},{asn1,"The Erlang ASN1 compiler version 5.0.5","5.0.5"},{os_mon,"CPO CXC 138 46","2.4.4"},{inets,"INETS CXC 138 49","6.5"},{cowlib,"Support library for manipulating Web protocols.","2.1.0"},{jsx,"a streaming, evented json parsing toolkit","2.8.2"},{crypto,"CRYPTO","4.2.1"},{mnesia,"MNESIA CXC 138 12","4.15.3"},{recon,"Diagnostic tools for production use","2.3.2"},{lager,"Erlang logging framework","3.5.1"},{goldrush,"Erlang event stream processor","0.1.9"},{compiler,"ERTS CXC 138 10","7.1.5"},{syntax_tools,"Syntax tools","2.1.4"},{sasl,"SASL CXC 138 11","3.1.1"},{stdlib,"ERTS CXC 138 10","3.4.4"},{kernel,"ERTS CXC 138 10","5.4.3"}]},{os,{unix,linux}},{erlang_version,"Erlang/OTP 20 [erts-9.3] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:64] [hipe] [kernel-poll:true]\n"},{memory,[{connection_readers,0},{connection_writers,0},{connection_channels,0},{connection_other,2840},{queue_procs,41368},{queue_slave_procs,0},{plugins,1075576},{other_proc,25161376},{metrics,200032},{mgmt_db,161752},{mnesia,79944},{other_ets,2214576},{binary,138984},{msg_index,28784},{code,28685589},{atom,1131721},{other_system,11496354},{allocated_unused,23146032},{reserved_unallocated,2539520},{strategy,rss},{total,[{erlang,70418896},{rss,96104448},{allocated,93564928}]}]},{alarms,[]},{listeners,[{clustering,25672,"::"},{amqp,5672,"::"},{mqtt,1883,"::"},{http,15672,"::"}]},{vm_memory_calculation_strategy,rss},{vm_memory_high_watermark,0.4},{vm_memory_limit,1603674112},{disk_free_limit,50000000},{disk_free,742413647872},{file_descriptors,[{total_limit,924},{total_used,3},{sockets_limit,829},{sockets_used,0}]},{processes,[{limit,1048576},{used,392}]},{run_queue,0},{uptime,275},{kernel,{net_ticktime,60}}]Cluster status of node rabbit@tmt01-a ...[{nodes,[{disc,['rabbit@tmt01-a']}]},{running_nodes,['rabbit@tmt01-a']},{cluster_name,<<"rabbit@tmt01-a">>},{partitions,[]},{alarms,[{'rabbit@tmt01-a',[]}]}]Application environment of node rabbit@tmt01-a ...[{amqp_client,[{prefer_ipv6,false},{ssl_options,[]}]},{asn1,[]},{compiler,[]},{cowboy,[]},{cowlib,[]},{crypto,[{fips_mode,false}]},{goldrush,[]},{inets,[]},{jsx,[]},{kernel,[{error_logger,tty},{inet_default_connect_options,[{nodelay,true}]},{inet_dist_listen_max,25672},{inet_dist_listen_min,25672}]},{lager,[{async_threshold,20},{async_threshold_window,5},{colored,false},{colors,[{debug,"\e[0;38m"},{info,"\e[1;37m"},{notice,"\e[1;36m"},{warning,"\e[1;33m"},{error,"\e[1;31m"},{critical,"\e[1;35m"},{alert,"\e[1;44m"},{emergency,"\e[1;41m"}]},{crash_log,"log/crash.log"},{crash_log_count,5},{crash_log_date,"$D0"},{crash_log_msg_size,65536},{crash_log_size,10485760},{error_logger_format_raw,true},{error_logger_hwm,50},{error_logger_hwm_original,50},{error_logger_redirect,true},{extra_sinks,[{error_logger_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_channel_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_connection_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_mirroring_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_queue_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_federation_lager_event,[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},{rabbit_handlers,[{lager_forwarder_backend,[lager_event,inherit]}]}]},{rabbit_log_upgrade_lager_event,[{handlers,[{lager_file_backend,[{date,[]},{file,"/var/log/rabbitmq/rabbit@tmt01-a_upgrade.log"},{formatter_config,[date," ",time," ",color,"[",severity,"] ",{pid,[]}," ",message,"\n"]},{level,info},{size,0}]}]},{rabbit_handlers,[{lager_file_backend,[{date,[]},{file,"/var/log/rabbitmq/rabbit@tmt01-a_upgrade.log"},{formatter_config,[date," ",time," ",color,"[",severity,"] ",{pid,[]}," ",message,"\n"]},{level,info},{size,0}]}]}]}]},{handlers,[{lager_file_backend,[{date,[]},{file,"/var/log/rabbitmq/rab...@tmt01-a.log"},{formatter_config,[date," ",time," ",color,"[",severity,"] ",{pid,[]}," ",message,"\n"]},{level,info},{size,0}]}]},{log_root,"/var/log/rabbitmq"},{rabbit_handlers,[{lager_file_backend,[{date,[]},{file,"/var/log/rabbitmq/rab...@tmt01-a.log"},{formatter_config,[date," ",time," ",color,"[",severity,"] ",{pid,[]}," ",message,"\n"]},{level,info},{size,0}]}]}]},{mnesia,[{dir,"/var/lib/rabbitmq/mnesia/rabbit@tmt01-a"}]},{os_mon,[{start_cpu_sup,false},{start_disksup,false},{start_memsup,false},{start_os_sup,false}]},{public_key,[]},{rabbit,[{auth_backends,[rabbit_auth_backend_internal]},{auth_mechanisms,['PLAIN','AMQPLAIN']},{autocluster,[{peer_discovery_backend,rabbit_peer_discovery_classic_config}]},{background_gc_enabled,false},{background_gc_target_interval,60000},{backing_queue_module,rabbit_priority_queue},{channel_max,0},{channel_operation_timeout,15000},{cluster_keepalive_interval,10000},{cluster_nodes,{[],disc}},{cluster_partition_handling,ignore},{collect_statistics,fine},{collect_statistics_interval,5000},{config_entry_decoder,[{cipher,aes_cbc256},{hash,sha512},{iterations,1000},{passphrase,undefined}]},{connection_max,infinity},{credit_flow_default_credit,{400,200}},{default_consumer_prefetch,{false,0}},{default_permissions,[<<".*">>,<<".*">>,<<".*">>]},{default_user,<<"guest">>},{default_user_tags,[administrator]},{default_vhost,<<"/">>},{delegate_count,16},{disk_free_limit,50000000},{disk_monitor_failure_retries,10},{disk_monitor_failure_retry_interval,120000},{enabled_plugins_file,"/etc/rabbitmq/enabled_plugins"},{fhc_read_buffering,false},{fhc_write_buffering,true},{frame_max,131072},{halt_on_upgrade_failure,true},{handshake_timeout,10000},{heartbeat,60},{hipe_compile,false},{hipe_modules,[rabbit_reader,rabbit_channel,gen_server2,rabbit_exchange,rabbit_command_assembler,rabbit_framing_amqp_0_9_1,rabbit_basic,rabbit_event,lists,queue,priority_queue,rabbit_router,rabbit_trace,rabbit_misc,rabbit_binary_parser,rabbit_exchange_type_direct,rabbit_guid,rabbit_net,rabbit_amqqueue_process,rabbit_variable_queue,rabbit_binary_generator,rabbit_writer,delegate,gb_sets,lqueue,sets,orddict,rabbit_amqqueue,rabbit_limiter,gb_trees,rabbit_queue_index,rabbit_exchange_decorator,gen,dict,ordsets,file_handle_cache,rabbit_msg_store,array,rabbit_msg_store_ets_index,rabbit_msg_file,rabbit_exchange_type_fanout,rabbit_exchange_type_topic,mnesia,mnesia_lib,rpc,mnesia_tm,qlc,sofs,proplists,credit_flow,pmon,ssl_connection,tls_connection,ssl_record,tls_record,gen_fsm,ssl]},{lager_default_file,"/var/log/rabbitmq/rab...@tmt01-a.log"},{lager_extra_sinks,[rabbit_log_lager_event,rabbit_log_channel_lager_event,rabbit_log_connection_lager_event,rabbit_log_mirroring_lager_event,rabbit_log_queue_lager_event,rabbit_log_federation_lager_event,rabbit_log_upgrade_lager_event]},{lager_log_root,"/var/log/rabbitmq"},{lager_upgrade_file,"/var/log/rabbitmq/rabbit@tmt01-a_upgrade.log"},{lazy_queue_explicit_gc_run_operation_threshold,1000},{log,[{file,[{file,"/var/log/rabbitmq/rab...@tmt01-a.log"}]},{categories,[{upgrade,[{file,"/var/log/rabbitmq/rabbit@tmt01-a_upgrade.log"}]}]}]},{loopback_users,[<<"guest">>]},{memory_monitor_interval,2500},{mirroring_flow_control,true},{mirroring_sync_batch_size,4096},{mnesia_table_loading_retry_limit,10},{mnesia_table_loading_retry_timeout,30000},{msg_store_credit_disc_bound,{4000,800}},{msg_store_file_size_limit,16777216},{msg_store_index_module,rabbit_msg_store_ets_index},{msg_store_io_batch_size,4096},{num_ssl_acceptors,10},{num_tcp_acceptors,10},{password_hashing_module,rabbit_password_hashing_sha256},{plugins_dir,"/usr/lib/rabbitmq/plugins:/usr/lib/rabbitmq/lib/rabbitmq_server-3.7.4/plugins"},{plugins_expand_dir,"/var/lib/rabbitmq/mnesia/rabbit@tmt01-a-plugins-expand"},{proxy_protocol,false},{queue_explicit_gc_run_operation_threshold,1000},{queue_index_embed_msgs_below,4096},{queue_index_max_journal_entries,32768},{reverse_dns_lookups,false},{server_properties,[]},{ssl_allow_poodle_attack,false},{ssl_apps,[asn1,crypto,public_key,ssl]},{ssl_cert_login_from,distinguished_name},{ssl_handshake_timeout,5000},{ssl_listeners,[]},{ssl_options,[]},{tcp_listen_options,[{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false}]},{tcp_listeners,[5672]},{trace_vhosts,[]},{vhost_restart_strategy,continue},{vm_memory_calculation_strategy,rss},{vm_memory_high_watermark,0.4},{vm_memory_high_watermark_paging_ratio,0.5}]},{rabbit_common,[]},{rabbitmq_management,[{cors_allow_origins,[]},{cors_max_age,1800},{http_log_dir,none},{listener,[{port,15672}]},{load_definitions,none},{management_db_cache_multiplier,5},{process_stats_gc_timeout,300000},{stats_event_max_backlog,250}]},{rabbitmq_management_agent,[{rates_mode,basic},{sample_retention_policies,[{global,[{605,5},{3660,60},{29400,600},{86400,1800}]},{basic,[{605,5},{3600,60}]},{detailed,[{605,5}]}]}]},{rabbitmq_mqtt,[{allow_anonymous,true},{default_user,<<"guest">>},{exchange,<<"amq.topic">>},{num_ssl_acceptors,1},{num_tcp_acceptors,10},{prefetch,10},{proxy_protocol,false},{retained_message_store,rabbit_mqtt_retained_msg_store_dets},{retained_message_store_dets_sync_interval,2000},{ssl_cert_login,false},{ssl_listeners,[]},{subscription_ttl,86400000},{tcp_listen_options,[{backlog,128},{nodelay,true}]},{tcp_listeners,[1883]},{vhost,<<"/">>}]},{rabbitmq_web_dispatch,[]},{ranch,[]},{ranch_proxy_protocol,[{proxy_protocol_timeout,55000},{ssl_accept_opts,[]}]},{recon,[]},{sasl,[{errlog_type,error},{sasl_error_logger,false}]},{ssl,[]},{stdlib,[]},{syntax_tools,[]},{xmerl,[]}]Listing connections ...Listing channels ...Timeout: 60.0 seconds ...Listing queues for vhost / ...task_queue true false [] <rab...@tmt01-a.3.425.0> false 0 0 0 0 0 0 0 00 0 0 0 0 0 0 56160 runningmymqtt_queue true false [] <rab...@tmt01-a.3.428.0> false 0 0 0 0 0 0 0 00 0 0 0 0 0 0 35408 runningListing exchanges for vhost / ...amq.match headers true false false []amq.direct direct true false false []direct true false false []amq.fanout fanout true false false []amq.headers headers true false false []amq.rabbitmq.trace topic true false true []amq.topic topic true false false []Listing bindings for vhost /...exchange mymqtt_queue queue mymqtt_queue []exchange task_queue queue task_queue []amq.topic exchange mymqtt_queue queue []Listing permissions for vhost "/" ...guest .* .* .*mqtt-test .* .* .*root@tmt01-a:~#Regards,Sachin
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
Luke Bakken
Apr 1, 2018, 10:59:52 AM4/1/18
to rabbitmq-users
Hi Sachin,
Please provide the output of the following commands. If there is a large amount of output, redirect it to a file and attach the file instead. Replace PASSWORD with the password you are using for the mqtt-test user. Please note that you should put the password in single quotes in case it has special characters:
rabbitmqctl list_users
rabbitmqctl list_permissions
rabbitmqctl list_topic_permissions
rabbitmqctl list_user_topic_permissions
rabbitmqctl authenticate_user mqtt-test 'PASSWORD'
Thanks,
Luke
Sachin Deshpande
Apr 2, 2018, 4:56:18 AM4/2/18
to rabbitmq-users
Hello Luke,
Please find attached the output of the commands
root@tmt01-a:~#
root@tmt01-a:~# rabbitmqctl list_users
Listing users ...
mqtt-test [administrator]
guest [administrator]
root@tmt01-a:~#
root@tmt01-a:~#
root@tmt01-a:~#
root@tmt01-a:~# rabbitmqctl list_permissions
Listing permissions for vhost "/" ...
guest .* .* .*
mqtt-test .* .* .*
root@tmt01-a:~#
root@tmt01-a:~#
root@tmt01-a:~# rabbitmqctl list_topic_permissions
Listing topic permissions for vhost "/" ...
mqtt-test amq.topic ^mqtt-.* ^mqtt-.*
root@tmt01-a:~#
root@tmt01-a:~#
root@tmt01-a:~#
root@tmt01-a:~# rabbitmqctl list_user_topic_permissions mqtt-test
Listing topic permissions for user "mqtt-test" ...
/ amq.topic ^mqtt-.* ^mqtt-.*
root@tmt01-a:~#
root@tmt01-a:~#
root@tmt01-a:~# rabbitmqctl authenticate_user mqtt-test 'mqtt-test'
Authenticating user "mqtt-test" ...
Success
root@tmt01-a:~#
Regards,
Sachin
Luke Bakken
Apr 2, 2018, 10:00:57 AM4/2/18
to rabbitmq-users
Sachin -
Your topic permissions only allow publishing to topics that begin with the string mqtt-
Therefore, the topic home.garden.fountain is denied permission. As soon as you define one permission, anything that doesn't match is disallowed.
Thanks,
Luke
Sachin Deshpande
Apr 3, 2018, 12:49:55 AM4/3/18
to rabbitm...@googlegroups.com
Hello Luke,
Thanks for the observation. I am able to publish and subscribe now. I am starting the topic name with "mqtt-".
It means that if I don't specify any permissions for the topic then any topic is allowed. Is this correct ?
Thanks and Regards
Sachin
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Sachin Deshpande
Apr 3, 2018, 2:41:38 AM4/3/18
to rabbitmq-users
I used the following command to publish to the any topic that user creates by setting the permission for the user
rabbitmqctl set_topic_permissions -p / mqtt-test amq.topic ".*" ".*"
Thanks
Sachin
Arnaud Cogoluègnes
Apr 3, 2018, 3:36:39 AM4/3/18
to rabbitm...@googlegroups.com
Topic permissions are not enforced if there's no topic permission row at all. As soon as you define a topic permission for a given user, this topic permission is enforced and prevent any access that doesn't match it.
To post to this group, send email to rabbitm...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages