mop icon indicating copy to clipboard operation
mop copied to clipboard
verified publisher icon streamnative

Topic Grant-Permission Operation caused MQTT Clients Disconnected

Open letsopen opened this issue 3 years ago • 0 comments

Describe the bug topic grant-permission operation caused all devices subcribed topics in the same namespace lost connection. for example: test-user-a is connected and subscribes persistent://test-tenant/ns/test-topic-a test-user-b is connected and subscribes persistent://test-tenant/ns/test-topic-b if i execute topic grant-permmision to any role with any topic in the same namespace, all mqtt clients will be disconnected instantly.

  • it shows the same result no matter i execute by pulsar-cli, pulsar-restful-api or pulsar-java-api
  • if topic grant-permission operation executes in another namespace, clients will not be disconnected.
  • if clients connect to pulsar broker directly without mop, clients will not be disconnected.

To Reproduce Steps to reproduce the behavior:

  1. prepare and start a Pulsar Server with mop plugin in standalone or single cluster mode. (following steps are in standalone mode) (Pulsar version 2.10.1, MOP version 2.10.1.7)
  2. config standalone.conf (see next part)
  3. create a tenant called "test-tenant"
  4. create a namespace called "test-tenant/ns"
  5. create 2 topics, called "persistent://test-tenant/ns/test-topic-a" and "persistent://test-tenant/ns/test-topic-b"
  6. create 2 subjects called "test-user-a" and "test-user-b"
  7. grant consume permissions for subjects: bin/pulsar-admin --auth-plugin xxx --auth-params token:xxx --admin-url xxx topics grant-permission persistent://test-tenant/ns/test-topic-a --role test-user-a --actions consume, bin/pulsar-admin --auth-plugin xxx --auth-params token:xxx --admin-url xxx topics grant-permission persistent://test-tenant/ns/test-topic-b --role test-user-b --actions consume
  8. Start a Mqtt client like mqtt-spy on my desktop
  9. login "test-user-a" and let it subscribe topic "persistent://test-tenant/ns/test-topic-a"
  10. login "test-user-b" and let it subscribe topic "persistent://test-tenant/ns/test-topic-b"
  11. let's execute this command again bin/pulsar-admin --auth-plugin xxx --auth-params token:xxx --admin-url xxx topics grant-permission persistent://test-tenant/ns/test-topic-a --role test-user-a --actions consume
  12. see mqtt-spy, the 2 client are disconnected.

standalone.conf modified params

clusterName=standalone
proxyRoles=proxy
authenticateOriginalAuthData=false
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
authorizationEnabled=true
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
superUserRoles=admin,proxy
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:xxxx
messagingProtocols=mqtt
protocolHandlerDirectory=./protocols
mqttListeners=mqtt://xxxx:1883
advertisedAddress=xxxx
mqttProxyEnabled=true
mqttProxyPort=5682
mqttAuthenticationEnabled=true
mqttAuthenticationMethods=token
mqttAuthorizationEnabled=true

Expected behavior When i grant-permission for topic to a role, connections user the same namespace will not be disconnected.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • Server OS: CentOS 7.9.2009
  • MQTT Client OS: Windows 10

Additional context Add any other context about the problem here.

letsopen avatar Aug 27 '22 07:08 letsopen