ACL not working.
134 views
Skip to first unread message
Luca Bardon
Dec 9, 2021, 3:51:14 AM12/9/21
to vernemq-users
Hello everyone,
I'm trying to use ACL for limit user to subscribe / publish some topics.
At the moment my VerneMQ brooker has this topics
My ACL is dona like the following:
1. user subscriber
2. topic #
3. user publisher.
4. topic #
5. user UtenteLettura
6. topic #
2. topic #
3. user publisher.
4. topic #
5. user UtenteLettura
6. topic #
after this I want only last user to subscribe to a topic called device so I write this
1. user subscriber
2. topic #
3. user publisher
4. topic #
5. user UtenteLettura
6. topic read device
2. topic #
3. user publisher
4. topic #
5. user UtenteLettura
6. topic read device
7. topic write meteo
(I've inserted line number before every line).
Doing like this the user UtenteLettura no more see any topics, I'm wondering where I'm doing wrong, can someone help me?
Thanks in advance
Luca
André Fatton
Dec 9, 2021, 4:07:22 AM12/9/21
to vernemq-users
Hi Luca,
make sure to add a line for anonymous users at the beginning, just to protect your other topics. Even if it is just a line like "topic notusedtopic".
Also make sure there are no double whitespaces and that there's a newline at the end of the ACL file.
Lastly, check that automatically reloading the ACL file is enabled in the vernemq.conf:
vmq_acl.acl_reload_interval = 10
Hope this helps,
Cheers,
André
Luca Bardon
Dec 9, 2021, 4:29:26 AM12/9/21
to vernemq-users
Hi André,
thanks for you reply. Something is still not working even following your suggestion
I've modified the acl file like this
1. topic read NoTopic
2. user subscriber
3. topic #
4. user publisher
5. topic #
6. user UtenteLettura
7. topic read device
8.
2. user subscriber
3. topic #
4. user publisher
5. topic #
6. user UtenteLettura
7. topic read device
8.
I've launched a trace for the user if it may help and this is the result
2021-12-09T09:23:18Z Starting trace for 1 existing sessions for client "mqtt-explorer-4dd829b6" with PIDs [<8597.611.0>]
2021-12-09T09:23:25Z <8597.611.0> Trace session for mqtt-explorer-4dd829b6 stopped
2021-12-09T09:23:26Z New session with PID <8597.626.0> found for client "mqtt-explorer-4dd829b6"
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" CONNECT(c: mqtt-explorer-4dd829b6, v: 4, u: UtenteLettura, p: Prova, cs: 1, ka: 60) 2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_register({{192,168,x,x},56222},{[], <<"mqtt-explorer-4dd829b6">>},UtenteLettura,Prova,true)
2021-12-09T09:23:26Z <8597.626.0> Hook returned "ok"
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" CONNACK(sp: 0, rc: 0)
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" SUBSCRIBE(m23927) with topics: q:0, t: "#"
2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_subscribe(UtenteLettura,{[],<<"mqtt-explorer-4dd829b6">>}) with topics: q:0, t: "#"
2021-12-09T09:23:26Z <8597.626.0> Hook returned {error,plugin_chain_exhausted}
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" SUBSCRIBE(m23928) with topics: q:0, t: "$SYS/#" 2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_subscribe(UtenteLettura,{[], <<"mqtt-explorer-4dd829b6">>}) with topics: q:0, t: "$SYS/#"
2021-12-09T09:23:26Z <8597.626.0> Hook returned {error,plugin_chain_exhausted}
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" SUBACK(m23928, qt[not_allowed])
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" SUBACK(m23927, qt[not_allowed])
Thanks again for help
2021-12-09T09:23:25Z <8597.611.0> Trace session for mqtt-explorer-4dd829b6 stopped
2021-12-09T09:23:26Z New session with PID <8597.626.0> found for client "mqtt-explorer-4dd829b6"
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" CONNECT(c: mqtt-explorer-4dd829b6, v: 4, u: UtenteLettura, p: Prova, cs: 1, ka: 60) 2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_register({{192,168,x,x},56222},{[], <<"mqtt-explorer-4dd829b6">>},UtenteLettura,Prova,true)
2021-12-09T09:23:26Z <8597.626.0> Hook returned "ok"
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" CONNACK(sp: 0, rc: 0)
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" SUBSCRIBE(m23927) with topics: q:0, t: "#"
2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_subscribe(UtenteLettura,{[],<<"mqtt-explorer-4dd829b6">>}) with topics: q:0, t: "#"
2021-12-09T09:23:26Z <8597.626.0> Hook returned {error,plugin_chain_exhausted}
2021-12-09T09:23:26Z <8597.626.0> MQTT RECV: CID: "mqtt-explorer-4dd829b6" SUBSCRIBE(m23928) with topics: q:0, t: "$SYS/#" 2021-12-09T09:23:26Z <8597.626.0> Calling auth_on_subscribe(UtenteLettura,{[], <<"mqtt-explorer-4dd829b6">>}) with topics: q:0, t: "$SYS/#"
2021-12-09T09:23:26Z <8597.626.0> Hook returned {error,plugin_chain_exhausted}
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" SUBACK(m23928, qt[not_allowed])
2021-12-09T09:23:26Z <8597.626.0> MQTT SEND: CID: "mqtt-explorer-4dd829b6" SUBACK(m23927, qt[not_allowed])
Thanks again for help
Luca
André Fatton
Dec 9, 2021, 5:01:14 AM12/9/21
to vernemq-users
The trace shows that you try to subscribe to # and $SYS/# but you haven't configured the ACLs for this.
Best,
A.
Luca Bardon
Dec 9, 2021, 6:07:52 AM12/9/21
to vernemq-users
Hi André, thanks for the answer. I was new to MQTT so I'm learning as fast as I can. The problem was an "hidden" submenu where there as all the topics.
I've got to ask for the correct topic to subscribe (for example meteo/#) now it works and I can display data.
the ACL file is made like this
1. topic read NoTopic
2. user subscriber
3. topic #
4. user publisher
5. topic #
6. user UtenteLettura
7. topic read device
2. user subscriber
3. topic #
4. user publisher
5. topic #
6. user UtenteLettura
7. topic read device
8.
topic read meteo
9.
now, just a couple of questions abount ACL.
1) When I setup a new connection do I have to ask for a specific topic (like meteo/#), is it correct?
2) If I try to read the root topic (#) it doesn't works (in my case user subscriber and publisher works but not for UtenteLettura), is this correct?
3) with the command wmq-admin trace client client-id=xxxxx is there a way to postpone the disconnection timeout ?
Thanks for this help.
Luca
André Fatton
Dec 10, 2021, 9:12:50 AM12/10/21
to vernemq-users
Hi,
1) When I setup a new connection do I have to ask for a specific topic (like meteo/#), is it correct?
No. You communicate with the broker issuing MQTT frames. CONNECT is different than SUBSCRIBE. You can connect to a broker, and subsequently subscribe to a topic, or not. Don't let tools like mosquitto_sub confuse you in that regard, they just do both steps in one go.
Let me know when I seem to misunderstand your question.
2) If I try to read the root topic (#) it doesn't works (in my case user subscriber and publisher works but not for UtenteLettura), is this correct?
Yes
3) with the command wmq-admin trace client client-id=xxxxx is there a way to postpone the disconnection timeout ?
I'm unclear what you are asking. The trace waits until a session comes up, so you can start the trace before connecting that ClientID.
Best,
André
Reply all
Reply to author
Forward
0 new messages