nanomq icon indicating copy to clipboard operation
nanomq copied to clipboard
verified publisher icon nanomq

ACL can exclusively done through HTTP if HTTP auth is enabled

Open pl-kabaradjian opened this issue 1 year ago • 0 comments

Hello,

I am not sure this qualify as a bug but at least it would be nice to clarify the behaviour. I try to dig in the docs and github but I have not found anything about this.

Describe the bug As soon as I enable authentication of client through HTTP, ACL can exclusively be done through HTTP as well. nanomq_acl.conf and other param about ACL are ignored.

Expected behavior What I expected is that if I comment out the ACL part of the http auth and that I define the following conf:

  • no_match = allow
  • deny_action = ignore
  • {"permit": "allow"} in the ACL rules

This should not try to perform the ACL query through HTTP and allow publish and subscribe to any topic.

Actual Behavior The actual behaviour is that I can connect fine to the broker but as soon as I publish or subscribe I get disconnected. In the logs I get either: handle_pub: Auth failed! publish packet! OR sub_ctx_handle: topic: [#] HTTP AUTH fail, set SUBACK reason_code: [135]

To Reproduce Start the broker with the following auth conf:

auth {
	allow_anonymous = false # Allow clients to connect without providing username/password
	no_match = allow       # Default action if no ACL rules match
	deny_action = ignore   # Action to take if an ACL check rejects an operation

	cache = {
		max_size = 32        # Maximum number of ACL entries to cache for a client
		ttl = 1m             # Time after which an ACL cache entry will be deleted
	}

	acl = {include "./nanomq_acl.conf"}       # Path to the ACL configuration file
  
  http_auth = {
      auth_req {
          url = "http://127.0.0.1:8000/api/login"                       # HTTP URL API path for Auth Request
          method = "POST"                                               # HTTP Request Method for Auth Request
          headers.content-type = "application/json"  # HTTP Request Headers for Auth Request
          params = {login = "%u", password = "%P"} # Parameters to construct request body
      }
      
      timeout = 5s                                                   # Time-out time for the request
      connect_timeout = 5s                                           # Connection time-out time
      pool_size = 4                                                 # Connection process pool size
  }
}

And inside nanomq_acl.conf:

rules = [
	{"permit": "allow"}
]

Environment Details

  • NanoMQ version 0.21.10
  • Ubuntu 22.04

Client SDK I am using mqtt explorer 0.4.0

Cheers!

pl-kabaradjian avatar Jun 05 '24 12:06 pl-kabaradjian