mosquitto-auth-plug extended ACL support about mosquitto-auth-plug HOT 14 CLOSED

At the moment there is RW only; that is correct.

There's no reason not to add read-only, I just haven't got around to doing that yet. I'll try to implement this as soon as possible, at least for the mysql back-end.

from mosquitto-auth-plug.

This will be great - thanks.

from mosquitto-auth-plug.

I've added support for RO/RW ACLs in the latest commit. (Check the README).

Basically the ACLs query will look like this:

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw & %d)

Please test and see if you experience any issues.

from mosquitto-auth-plug.

It looks like it is working. If there is problem I'll rais a nother ticket ...

from mosquitto-auth-plug.

Hi jpmens,

neither the query you tell us in the readme

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)

nor the aforementioned one

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw & %d)

worked for me. If I have a user user1 that has rw=2 for a topic="/proof"

I suppose that this user1 is able to subscribe to /proof and publish in /proof ath the same time, but it doesn't work.

Could you help me please.

from mosquitto-auth-plug.

Ok, after some proofs, if I want user1 to publish and subscribe for a topic, I need to insert two entries in the database, for the same topic and user, one having rw=1 and other having rw=2

It seems that the implementation recognizes 1=read only and 2=write only (not read/write)

It is correct?

from mosquitto-auth-plug.

That depends on how you phrase the queries. The README has an example which should work; if it doesn't, then please show the steps you took.

from mosquitto-auth-plug.

jpmens, this is what happens when using the SQL query expressed in the README

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)

I have two users:

ro_user (rw=1 on topic /proof)
rw_user (rw=2 on topic /proof)

• ro_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
• rw_user subscribe /proof and ro_user publishes "hello" in /proof -> OK. Message not delivered.
• ro_user subscribe /proof and ro_user publishes "hello" in /proof -> BAD. Message delivered but it should'nt.
• rw_user subscribe /proof and rw_user publishes "hello" in /proof -> BAD. Message is not delivered but it should.

Neither ro_user nor rw_user are super (they have super=0).

¿?¿?¿

Any idea?

PS: I use the mysql backend

from mosquitto-auth-plug.

jpmens, another scenario using the SQL query in the README

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)

I have two users:

ro_user (rw=1 on topic /proof)
rw_user (rw=2 on topic /proof)

Transforming both users into superusers:

ro_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
rw_user subscribe /proof and ro_user publishes "hello" in /proof -> OK. Message delivered.
ro_user subscribe /proof and ro_user publishes "hello" in /proof -> OK. Message delivered.
rw_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.

So, it seems that the problem should be in the ACL check module.

PS: I use the mysql backend

from mosquitto-auth-plug.

jpmens, the last one using the SQL query in the README

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)

I have two users:

ro_user (rw=1 on topic /proof)
rw_user (both, rw=1 on topic /proof and rw=2 on topic /proof)

ro_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
rw_user subscribe /proof and ro_user publishes "hello" in /proof -> BAD. Message delivered, but it should't.
ro_user subscribe /proof and ro_user publishes "hello" in /proof -> BAD. Message delivered but it should'nt.
rw_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.

Neither ro_user nor rw_user are super (they have super=0).

So... I'm completely lost :-(, I did not have errors when compiling the module. And logs does not seems to show something extrange. Seems like if %d value is not correct at runtime.

from mosquitto-auth-plug.

I will look at this carefully as soon as possible.

from mosquitto-auth-plug.

Thank you so much!!

ACL check is something that I do not need urgently as we are still developing some backend components. So... We will convert all users into superuses in the meanwhile.

Regards.

from mosquitto-auth-plug.

I'm using the following data:

mysql> select * from users;
+----+----------+---------------------------------------------------------------------+-------+
| id | username | pw                                                                  | super |
+----+----------+---------------------------------------------------------------------+-------+
|  7 | sub      | PBKDF2$sha256$901$P4OmgoAX9u2tbTgE$ZPyxbSQfTx8gGjYp/MW1rA19lqFx+2xt |     0 |
|  8 | pub      | PBKDF2$sha256$901$PHRKQG7IUKW5qp4D$ABTuN7PJBfPdk/PByPN4LJVXn8h5ba/C |     0 |
+----+----------+---------------------------------------------------------------------+-------+

elect * from acls;
+----+----------+-------------------+----+
| id | username | topic             | rw |
+----+----------+-------------------+----+
| 13 | sub      | s/+               |  1 |
| 14 | pub      | s/+               |  2 |
+----+----------+-------------------+----+

1. sub user subscribes to s/+: OK
2. pub user (RW) publishes to s/one: OK -> sub user receives it
3. sub user publishes to s/one: Denied PUBLISH, which is correct.
4. pub user (RW) subscribes to s/+: OK, which is correct (read and write)
5. pub user publishes to s/hello: subscriber authenticated as pub receives it: OK.

The problem was a typo in the README, I'm sorry about that. The configuration I'm using is

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw >= %d)

from mosquitto-auth-plug.

Whow!!! what a silly mistake. Thank you so much. Now it works fine. I've proved 100.000 different options, have recompiled the module... but I did not tought the query of the README was incorrect. Nobody have reported this bad operation til now???

Thank you so much jpmens, I'm configuring a complex bridged MQTT infrastructure and this removes part of the problems I'm having.

Good job!!

from mosquitto-auth-plug.