[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

AnotherCodeArtist · 2022-07-27T13:19:34Z

I'm using docker image eclipse-mosquitto:2.0.14-openssl, which should be pretty recent, nevertheless, I get the following result:

Although entries in the dynamic-securty.json are unique, mosquitto_ctrl returns duplicates for each entry, like:

> mosquitto_ctrl -u cedalo  dynsec listRoles
cedalo
cedalo
kafka
kafka
sensor1
sensor1
streamsheets
streamsheets
telegraf
telegraf

Which means, that these entries are also shown in the management center:

There's a similar issue (#2470) reporting that also entries in the config file get duplicated. This, however, seems to be fixed in 2.0.14 (at least it did not happen in the last 15 minutes in my installation).

The text was updated successfully, but these errors were encountered:

ralight · 2022-08-05T23:09:08Z

I've tried to duplicate this but haven't had any luck so far. Do you have any hints on anything I might be missing?

AnotherCodeArtist · 2022-08-09T10:17:30Z

I've deployed eclipse-mosquitto:2.0.14-openssl along with a self-crafted version of cedalo management center image (since the official one is not current) as separate pods in kubernetes.
In the mosquitto pod, paths /mosquitto/data and /mosquitto/config are bound to a persistent volume. The config file (mosquitto.conf) is:

listener 1883

persistence true
persistence_location /mosquitto/data/

plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json




# MQTT over TLS/SSL
listener 8883
protocol mqtt
require_certificate false
#cafile C:\Dati\mosquitto\ca.crt
certfile /certs/tls.crt
keyfile /certs/tls.key
plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json

The /mosquitto/data therefore also holds a file called mosquitto.db. Could it be that this database also contains (outdated?) client and role information since this file survived the replacement of the container image? Or is there some other place where a cached security configuration could be found?

ralight · 2022-08-16T00:12:49Z

Thank you, that was very helpful. The problem is down to the duplicate loading of the dynamic security plugin. It is currently only possible for a plugin that uses $CONTROL messages, such as dynsec, to be loaded once, but the dynsec plugin wasn't catching that error.

In your case, just remove the duplicate plugin entries and it will be fixed. I'll get the code fixed.

ralight · 2022-08-16T00:25:38Z

For the 2.0.15 release duplicate plugins are disabled. For 2.1.0 I'll try to think of a different solution.

ralight added Type: Bug Component: mosquitto-broker labels Aug 5, 2022

ralight added this to the 2.0.15 milestone Aug 16, 2022

ralight added the Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. label Aug 16, 2022

ralight closed this as completed in df317ff Aug 16, 2022

github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

AnotherCodeArtist commented Jul 27, 2022

ralight commented Aug 5, 2022

AnotherCodeArtist commented Aug 9, 2022

ralight commented Aug 16, 2022

ralight commented Aug 16, 2022

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

Comments

AnotherCodeArtist commented Jul 27, 2022

ralight commented Aug 5, 2022

AnotherCodeArtist commented Aug 9, 2022

ralight commented Aug 16, 2022

ralight commented Aug 16, 2022