emqx-auth-mongo
emqx-auth-mongo copied to clipboard
emqx
ACL validation not working as expected
Environment
- OS: Linux Alpine 3.9.4
- Erlang/OTP:
- EMQ: v3.2.2 (Docker image https://hub.docker.com/r/emqx/emqx)
Description
I am trying to add all the topics the clients can connect to, using only the clientid, and not allowing any other pub/sub that is not included on the mongodb. It doesn't seem to work.
I am managing authentication outside the emqx container, through TLS termination on a proxy container, so I want to use emqx_auth_mongo only for ACL.
What I did: Installed the mongodb helm chart. The service is available internally by the DNS name mydb-mongodb-replicaset-client In /opt/emqx/etc/plugins/emqx_auth_mongo.conf
- Changed to
auth.mongo.type = rs - Changed to
auth.mongo.rs_set_name = rs0 - Changed to
auth.mongo.server = mydb-mongodb-replicaset-client:27017 - Changed to
auth.mongo.acl_query.selector = clientid=%c
In /opt/emqx/etc/acl.conf
- Removed the last ACL
{allow, all}.
In /opt/emqx/etc/emqx.conf
- Changed to
acl_nomatch = deny
In mongodb added
-
db.mqtt_acl.insert({clientid: "my_clientid", pubsub: ["some_topic/#"]})
Then with an MQTT client I connect to the broker with client id "another_clientid" and I can subscribe to the topic:
2019-09-11 13:20:41.741 [debug] 10.1.34.0:41306 [Channel] RECV <<16,28,0,4,77,81,84,84,4,2,0,60,0,16,97,110,111,116,104,101,
114,95,99,108,105,101,110,116,105,100>>
([email protected])1> 2019-09-11 13:20:41.742 [debug] 10.1.34.0:41306 [Protocol] RECV CONNECT(Q0, R0, D0, ClientId=another_clientid, ProtoName=MQTT, ProtoVsn=4, CleanStart=true, KeepAlive=60, Username=undefined, Password=undefined)
([email protected])1> 2019-09-11 13:20:41.746 [debug] [email protected]:41306 [RuleEngine] Client(another_clientid) connected, connack: 0
([email protected])1> 2019-09-11 13:20:41.746 [debug] [email protected]:41306 [Protocol] SEND CONNACK(Q0, R0, D0, AckFlags=0, ReasonCode=0)
([email protected])1> 2019-09-11 13:20:46.101 [debug] [email protected]:41306 [Channel] RECV <<130,9,0,1,0,4,98,98,47,35,0>>
([email protected])1> 2019-09-11 13:20:46.101 [debug] [email protected]:41306 [Protocol] RECV SUBSCRIBE(Q1, R0, D0, PacketId=1, TopicFilters=[{<<"some_topic/#">>,#{nl => 0,qos => 0,rap => 0,rc => 0,rh => 0}}])
([email protected])1> 2019-09-11 13:20:46.103 [debug] [email protected]:41306 [RuleEngine] Client(another_clientid) will subscribe: [{<<"some_topic/#">>,
#{nl => 0,qos => 0,
rap => 0,rc => 0,
rh => 0}}]
([email protected])1> 2019-09-11 13:20:46.104 [debug] [email protected]:41306 [Protocol] SEND SUBACK(Q0, R0, D0, PacketId=1, ReasonCodes=[0])
([email protected])1> 2019-09-11 13:20:59.009 [warning] [Alarm Handler] New Alarm: cpu_high_watermark, Alarm Info: 100.0
([email protected])1> 2019-09-11 13:21:39.861 [debug] [email protected]:41306 [Channel] RECV <<224,0>>
([email protected])1> 2019-09-11 13:21:39.861 [debug] [email protected]:41306 [Protocol] RECV DISCONNECT(Q0, R0, D0, ReasonCode=0)
([email protected])1> 2019-09-11 13:21:39.862 [debug] [email protected]:41306 [Channel] Terminated for normal
([email protected])1> 2019-09-11 13:21:39.862 [info] [email protected]:41306 [Protocol] Shutdown for normal
([email protected])1> 2019-09-11 13:21:39.862 [debug] [email protected]:41306 [RuleEngine] Client(another_clientid) disconnected, reason_code: normal
Also I tried with "my_clientid" id and it also subscribed.
What am I missing?
Thanks very much for your help!
