mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard

Published 20 hours ago verified publisher icon eclipse

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json

Open AnotherCodeArtist opened this issue 2 years ago • 2 comments

I'm using docker image eclipse-mosquitto:2.0.14-openssl, which should be pretty recent, nevertheless, I get the following result:

Although entries in the dynamic-securty.json are unique, mosquitto_ctrl returns duplicates for each entry, like:

> mosquitto_ctrl -u cedalo  dynsec listRoles
cedalo
cedalo
kafka
kafka
sensor1
sensor1
streamsheets
streamsheets
telegraf
telegraf

Which means, that these entries are also shown in the management center:

grafik

There's a similar issue (#2470) reporting that also entries in the config file get duplicated. This, however, seems to be fixed in 2.0.14 (at least it did not happen in the last 15 minutes in my installation).

AnotherCodeArtist avatar Jul 27 '22 13:07 AnotherCodeArtist

I've tried to duplicate this but haven't had any luck so far. Do you have any hints on anything I might be missing?

ralight avatar Aug 05 '22 23:08 ralight

I've deployed eclipse-mosquitto:2.0.14-openssl along with a self-crafted version of cedalo management center image (since the official one is not current) as separate pods in kubernetes. In the mosquitto pod, paths /mosquitto/data and /mosquitto/config are bound to a persistent volume. The config file (mosquitto.conf) is:

listener 1883

persistence true
persistence_location /mosquitto/data/

plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json




# MQTT over TLS/SSL
listener 8883
protocol mqtt
require_certificate false
#cafile C:\Dati\mosquitto\ca.crt
certfile /certs/tls.crt
keyfile /certs/tls.key
plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json

The /mosquitto/data therefore also holds a file called mosquitto.db. Could it be that this database also contains (outdated?) client and role information since this file survived the replacement of the container image? Or is there some other place where a cached security configuration could be found?

AnotherCodeArtist avatar Aug 09 '22 10:08 AnotherCodeArtist

Thank you, that was very helpful. The problem is down to the duplicate loading of the dynamic security plugin. It is currently only possible for a plugin that uses $CONTROL messages, such as dynsec, to be loaded once, but the dynsec plugin wasn't catching that error.

In your case, just remove the duplicate plugin entries and it will be fixed. I'll get the code fixed.

ralight avatar Aug 16 '22 00:08 ralight

For the 2.0.15 release duplicate plugins are disabled. For 2.1.0 I'll try to think of a different solution.

ralight avatar Aug 16 '22 00:08 ralight