ACL not working.

47 views
Skip to first unread message

Luca Bardon

unread,
Dec 9, 2021, 3:51:14 AM12/9/21
to vernemq-users
Hello everyone,
I'm trying to use ACL for limit user to subscribe / publish some topics.
At the moment my VerneMQ brooker has this topics

Topic.PNG


My ACL is dona like the following:

1. user subscriber
2. topic #
3. user publisher.
4. topic #
5. user UtenteLettura
6. topic #

after this I want only last user to subscribe to a topic called device so I write this

1. user subscriber
2. topic #
3. user publisher
4. topic #
5. user UtenteLettura
6. topic read device
7. topic write meteo

(I've inserted line number before every line).
Doing like this the user UtenteLettura no more see any topics, I'm wondering where I'm doing wrong, can someone help me?
Thanks in advance
Luca


André Fatton

unread,
Dec 9, 2021, 4:07:22 AM12/9/21
to vernemq-users
Hi Luca,

make sure to add a line for anonymous users at the beginning, just to protect your other topics. Even if it is just a line like "topic notusedtopic".
Also make sure there are no double whitespaces and that there's a newline at the end of the ACL file.

Lastly, check that automatically reloading the ACL file is enabled in the vernemq.conf:
vmq_acl.acl_reload_interval = 10

Hope this helps,
Cheers,
André

Luca Bardon

unread,
Dec 9, 2021, 4:29:26 AM12/9/21
to vernemq-users
Hi André,
thanks for you reply. Something is still not working even following your suggestion
I've modified the acl file like this

1. topic read NoTopic
2. user subscriber
3. topic #
4. user publisher
5. topic #
6. user UtenteLettura
7. topic read device
8.

I've launched a trace for the user if it may help and this is the result

2021-12-09T09:23:18Z Starting trace for 1 existing sessions for client "mqtt-explorer-4dd829b6" with PIDs [<8597.611.0>]
2021-12-09T09:23:25Z <8597.611.0> Trace session for mqtt-explorer-4dd829b6 stopped
2021-12-09T09:23:26Z New session with PID <8597.626.0> found for client "mqtt-explorer-4dd829b6"
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" CONNECT(c: mqtt-explorer-4dd829b6, v: 4, u: UtenteLettura, p: Prova, cs: 1, ka: 60) 2021-12-09T09:23:26Z <8597.626.0> Calling  auth_on_register({{192,168,x,x},56222},{[], <<"mqtt-explorer-4dd829b6">>},UtenteLettura,Prova,true)
2021-12-09T09:23:26Z <8597.626.0> Hook returned "ok"
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" CONNACK(sp: 0, rc: 0)
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" SUBSCRIBE(m23927) with topics: q:0, t: "#"
2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_subscribe(UtenteLettura,{[],<<"mqtt-explorer-4dd829b6">>}) with topics: q:0, t: "#"
2021-12-09T09:23:26Z <8597.626.0> Hook returned {error,plugin_chain_exhausted}
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" SUBSCRIBE(m23928) with topics: q:0, t: "$SYS/#" 2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_subscribe(UtenteLettura,{[], <<"mqtt-explorer-4dd829b6">>}) with topics: q:0, t: "$SYS/#"
2021-12-09T09:23:26Z <8597.626.0> Hook returned {error,plugin_chain_exhausted}
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" SUBACK(m23928, qt[not_allowed])
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" SUBACK(m23927, qt[not_allowed])


Thanks again for help
Luca

André Fatton

unread,
Dec 9, 2021, 5:01:14 AM12/9/21
to vernemq-users
The trace shows that you try to subscribe to # and $SYS/# but you haven't configured the ACLs for this.
Best,
A.

Luca Bardon

unread,
Dec 9, 2021, 6:07:52 AM12/9/21
to vernemq-users
Hi André, thanks for the answer. I was new to MQTT so I'm learning as fast as I can. The problem was an "hidden" submenu where there as all the topics.
I've got to ask for the correct topic to subscribe (for example meteo/#) now it works and I can display data.

Topic.PNG

the ACL file is made like this

1. topic read NoTopic
2. user subscriber
3. topic #
4. user publisher
5. topic #
6. user UtenteLettura
7. topic read device
8. topic read meteo
9.

now, just a couple of questions abount ACL.
1) When I setup a new connection do I have to ask for a specific topic (like meteo/#), is it correct?
2) If I try to read the root topic (#) it doesn't works (in my case user subscriber and publisher works but not for UtenteLettura), is this correct?
3) with the command wmq-admin trace client client-id=xxxxx is there a way to  postpone the disconnection timeout ?

Thanks for this help.
Luca

André Fatton

unread,
Dec 10, 2021, 9:12:50 AM12/10/21
to vernemq-users
Hi,

1) When I setup a new connection do I have to ask for a specific topic (like meteo/#), is it correct?
No. You communicate with the broker issuing MQTT frames. CONNECT is different than SUBSCRIBE. You can connect to a broker, and subsequently subscribe to a topic, or not. Don't let tools like mosquitto_sub confuse you in that regard, they just do both steps in one go.
Let me know when I seem to misunderstand your question.

2) If I try to read the root topic (#) it doesn't works (in my case user subscriber and publisher works but not for UtenteLettura), is this correct?
Yes
3) with the command wmq-admin trace client client-id=xxxxx is there a way to  postpone the disconnection timeout ?
I'm unclear what you are asking. The trace waits until a session comes up, so you can start the trace before connecting that ClientID.
 
Best,
André
Reply all
Reply to author
Forward
0 new messages