emqx-auth-http icon indicating copy to clipboard operation
emqx-auth-http copied to clipboard

Published 20 hours ago verified publisher icon emqx

401 status still let the client to pub/sub

Open amirkheirabadi73 opened this issue 7 years ago • 11 comments

In v2.3 for ACL, I am returning 401.but the client is still able to pub/sub.

amirkheirabadi73 avatar Oct 11 '17 06:10 amirkheirabadi73

is this fix? as I am getting the same issue for v3.

zsafder avatar Dec 13 '19 14:12 zsafder

@zsafder Have you turned off anonymous access in emqx.conf? allow_anonymous = false is required if you want the server to deny access to users who are not authenticated.

tigercl avatar Dec 16 '19 02:12 tigercl

yes, allow_anonymous is false. Below is my docker run command. Kindly let me know what I am missing here.

docker run -d --name emqx -p 18083:18083 -p 1883:1883 \
-e EMQX_LOADED_PLUGINS="emqx_recon,emqx_retainer,emqx_management,emqx_dashboard,emqx_rule_engine,emqx_auth_http" \
-e EMQX_ZONE__INTERNAL__ENABLE_ACL=on \
-e EMQX_ZONE__INTERNAL__ALLOW_ANONYMOUS=false \
-e EMQX_ACL_CACHE_TTL=5m \
-e EMQX_AUTH__HTTP__AUTH_REQ="http://host.docker.internal:3000/emqx/auth" \
-e EMQX_AUTH__HTTP__AUTH_REQ__METHOD=get \
-e EMQX_AUTH__HTTP__AUTH_REQ__PARAMS="client_id=%c,username=%u,password=%P" \
-e EMQX_AUTH__HTTP__SUPER_REQ="http://host.docker.internal:3000/emqx/superuser" \
-e EMQX_AUTH__HTTP__SUPER_REQ__METHOD=get \
-e EMQX_AUTH__HTTP__SUPER_REQ__PARAMS="client_id=%c,username=%u,password=%P" \
-e EMQX_AUTH__HTTP__ACL_REQ="http://host.docker.internal:3000/emqx/acl" \
-e EMQX_AUTH__HTTP__ACL_REQ__METHOD=get \
-e EMQX_AUTH__HTTP__ACL_REQ__PARAMS="access=%A,username=%u,client_id=%c,ip_addr=%a,topic=%t" \
emqx/emqx:latest

zsafder avatar Dec 16 '19 10:12 zsafder

@tigercl waiting for your help, I am stuck there.

zsafder avatar Dec 19 '19 11:12 zsafder

Hi @zsafder can you give me the precise version used? Is it v3.2.3?

HJianBo avatar Dec 19 '19 12:12 HJianBo

I have same problem! Actually I checked also the logs from my http server and it never calls the ACL ap i!

gmitaros avatar Dec 25 '19 23:12 gmitaros

@tigercl it is 3.2.7

zsafder avatar Dec 30 '19 11:12 zsafder

What I have observed now, the client can able to publish a message and subscribe call return true by EMQX cluster but there is no topic created in the case of a 403 response. The solution we would like to achieve is the client should not able to publish/subscribe to the cluster.

zsafder avatar Dec 30 '19 11:12 zsafder

Ideally, I would like to send 403 code to client pub/sub requests. Can I do that? Or denial will be silent to clients? Currently, clients cannot able to do pub/sub but they are getting 200 response.

zsafder avatar Jan 01 '20 13:01 zsafder

Ideally, I would like to send 403 code to client pub/sub requests. Can I do that?

Yes, you can. The emqx_auth_http will deny a PUB/SUB Request if response code is not 200 https://github.com/emqx/emqx-auth-http/blob/20660dec968df890aaef961013d8ffd3a74d7c2a/src/emqx_acl_http.erl#L57-L65

HJianBo avatar Jan 03 '20 11:01 HJianBo

thanks @tigercl and @HJianBo. It worked :)

zsafder avatar Jan 07 '20 06:01 zsafder