Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamic Security Plugin - ACL for subscribe not working? #2549

Closed
lucasgcbkhomp opened this issue May 26, 2022 · 3 comments
Closed

Dynamic Security Plugin - ACL for subscribe not working? #2549

lucasgcbkhomp opened this issue May 26, 2022 · 3 comments

Comments

@lucasgcbkhomp
Copy link

lucasgcbkhomp commented May 26, 2022
edited

I'm using mosquitto 2.0.14 and I have the following role for a sensor topic created with the dynamic security plugin:

{
			"rolename":	"sensorrole",
			"acls":	[{
					"acltype":	"publishClientSend",
					"topic":	"sensor",
					"priority":	5,
					"allow":	true
				}, {
					"acltype":	"publishClientReceive",
					"topic":	"sensor",
					"priority":	5,
					"allow":	true
				},{
					"acltype":	"subscribePattern",
					"topic":	"sensor",
					"priority":	5,
					"allow":	true
				},{
					"acltype":	"subscribeLiteral",
					"topic":	"sensor",
					"priority":	5,
					"allow":	true
				}]
},

This sensorrole allows a user to publish anything to the sensor topic; I can see the messages with my admin user. I'd like to have users with this role also be able to read from a restricted topic.

However, the publishClientReceive and subscribePattern rules seem to not have any affect for users with the sensorrole role, as I cannot see any of the published messages in the broker from their perspective.

If in the subscribeLiteral ACL I change the topic to "topic": "#", users with the role it will be able to see every client topic, which is unwanted.

What am I doing wrong? Thanks
@lucasgcbkhomp
Copy link
Author

I've enabled logging in Mosquitto MQTT with log_type all in the config. I get the SUBSCRIBE from the client and a SUBACK goes to client as expected, but the Mosquitto Broker simply doesn't PUBLISH to the client when a message arrives in the topic.

Only clients subscribed to # receive the PUBLISH.

Maybe this is a UTF-8 error? @ralight what do you think?

@ralight
Copy link
Contributor

ralight commented Jun 3, 2022

Hi,

I've just tried to reproduce this behaviour but failed. I'll give you the exact details of what I did and hopefully we can figure out where the difference lies.

dynamic-security.json (password is admin for both cases`):

{
    "clients": [
        {
            "username": "admin",
            "textName": "Dynsec admin user",
            "password": "3oKJF9ti9eAQu3mQeI9T3WO9UlQTXdAz115SdsvcqUWJmsIXBvkrRe51KndmQjwjgL0rGggrkm5Cd917whML1A==",
            "salt": "J4LkEcQTrOATVgTx",
            "iterations": 101,
            "roles": [
                {
                    "rolename": "admin"
                }
            ]
        },
        {
            "username": "user",
            "textName": "Dynsec admin user",
            "password": "3oKJF9ti9eAQu3mQeI9T3WO9UlQTXdAz115SdsvcqUWJmsIXBvkrRe51KndmQjwjgL0rGggrkm5Cd917whML1A==",
            "salt": "J4LkEcQTrOATVgTx",
            "iterations": 101,
            "roles": [
                {
                    "rolename": "sensorrole"
                }
            ]
        }
    ],
    "roles": [
        {
            "rolename": "admin",
            "acls": [
                {
                    "acltype": "publishClientSend",
                    "topic": "$CONTROL/dynamic-security/#",
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "$CONTROL/dynamic-security/#",
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "$CONTROL/dynamic-security/#",
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "$SYS/#",
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "$SYS/#",
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "#",
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "#",
                    "allow": true
                },
                {
                    "acltype": "unsubscribePattern",
                    "topic": "#",
                    "allow": true
                }
            ]
        },
        {
            "rolename": "sensorrole",
            "acls": [
                {
                    "acltype": "publishClientSend",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                },
                {
                    "acltype": "subscribeLiteral",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                }
            ]
        }
    ],
    "defaultACLAccess": {
        "publishClientSend": false,
        "publishClientReceive": true,
        "subscribe": false,
        "unsubscribe": true
    }
}

Subscribe command: mosquitto_sub -u user -P admin -t sensor -v
Publish command: mosquitto_pub -u user -P admin -t sensor -m asdf

Let me know how you get on.

@lucasgcbkhomp
Copy link
Author

lucasgcbkhomp commented Jun 6, 2022
edited

Hi,

I've just tried to reproduce this behaviour but failed. I'll give you the exact details of what I did and hopefully we can figure out where the difference lies.

dynamic-security.json (password is admin for both cases`):

{
    "clients": [
        {
            "username": "admin",
            "textName": "Dynsec admin user",
            "password": "3oKJF9ti9eAQu3mQeI9T3WO9UlQTXdAz115SdsvcqUWJmsIXBvkrRe51KndmQjwjgL0rGggrkm5Cd917whML1A==",
            "salt": "J4LkEcQTrOATVgTx",
            "iterations": 101,
            "roles": [
                {
                    "rolename": "admin"
                }
            ]
        },
        {
            "username": "user",
            "textName": "Dynsec admin user",
            "password": "3oKJF9ti9eAQu3mQeI9T3WO9UlQTXdAz115SdsvcqUWJmsIXBvkrRe51KndmQjwjgL0rGggrkm5Cd917whML1A==",
            "salt": "J4LkEcQTrOATVgTx",
            "iterations": 101,
            "roles": [
                {
                    "rolename": "sensorrole"
                }
            ]
        }
    ],
    "roles": [
        {
            "rolename": "admin",
            "acls": [
                {
                    "acltype": "publishClientSend",
                    "topic": "$CONTROL/dynamic-security/#",
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "$CONTROL/dynamic-security/#",
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "$CONTROL/dynamic-security/#",
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "$SYS/#",
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "$SYS/#",
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "#",
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "#",
                    "allow": true
                },
                {
                    "acltype": "unsubscribePattern",
                    "topic": "#",
                    "allow": true
                }
            ]
        },
        {
            "rolename": "sensorrole",
            "acls": [
                {
                    "acltype": "publishClientSend",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                },
                {
                    "acltype": "publishClientReceive",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                },
                {
                    "acltype": "subscribePattern",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                },
                {
                    "acltype": "subscribeLiteral",
                    "topic": "sensor",
                    "priority": 5,
                    "allow": true
                }
            ]
        }
    ],
    "defaultACLAccess": {
        "publishClientSend": false,
        "publishClientReceive": true,
        "subscribe": false,
        "unsubscribe": true
    }
}

Subscribe command: mosquitto_sub -u user -P admin -t sensor -v Publish command: mosquitto_pub -u user -P admin -t sensor -m asdf

Let me know how you get on.

Hey!

I've now noticed it's working as expected using the mosquitto_sub command, so after becoming more familiar with the protocol and checking up with you here, I've identified this as my own fault with the third party client I'm using (MQTT Explorer).

I had to subscribe manually to the topic that I had enabled in the DynSec file for the user and now it's working as expected. It was previously only working with # as a rule because that's what the client subscribes to by default (I identified this because of the verbose mode) then checked some settings and subscribed manually. I was under the impression that if I attempted to subscribe to # it would subscribe to anything I have the rights to.

Thank you for your attention, this is a very nice project.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ralight @lucasgcbkhomp