Comments (14)
At the moment there is RW only; that is correct.
There's no reason not to add read-only, I just haven't got around to doing that yet. I'll try to implement this as soon as possible, at least for the mysql back-end.
from mosquitto-auth-plug.
This will be great - thanks.
from mosquitto-auth-plug.
I've added support for RO/RW ACLs in the latest commit. (Check the README).
Basically the ACLs query will look like this:
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw & %d)
Please test and see if you experience any issues.
from mosquitto-auth-plug.
It looks like it is working. If there is problem I'll rais a nother ticket ...
from mosquitto-auth-plug.
Hi jpmens,
neither the query you tell us in the readme
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)
nor the aforementioned one
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw & %d)
worked for me. If I have a user user1 that has rw=2 for a topic="/proof"
I suppose that this user1 is able to subscribe to /proof and publish in /proof ath the same time, but it doesn't work.
Could you help me please.
from mosquitto-auth-plug.
Ok, after some proofs, if I want user1 to publish and subscribe for a topic, I need to insert two entries in the database, for the same topic and user, one having rw=1 and other having rw=2
It seems that the implementation recognizes 1=read only and 2=write only (not read/write)
It is correct?
from mosquitto-auth-plug.
That depends on how you phrase the queries. The README has an example which should work; if it doesn't, then please show the steps you took.
from mosquitto-auth-plug.
jpmens, this is what happens when using the SQL query expressed in the README
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)
I have two users:
ro_user (rw=1 on topic /proof)
rw_user (rw=2 on topic /proof)
- ro_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
- rw_user subscribe /proof and ro_user publishes "hello" in /proof -> OK. Message not delivered.
- ro_user subscribe /proof and ro_user publishes "hello" in /proof -> BAD. Message delivered but it should'nt.
- rw_user subscribe /proof and rw_user publishes "hello" in /proof -> BAD. Message is not delivered but it should.
Neither ro_user nor rw_user are super (they have super=0).
¿?¿?¿
Any idea?
PS: I use the mysql backend
from mosquitto-auth-plug.
jpmens, another scenario using the SQL query in the README
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)
I have two users:
ro_user (rw=1 on topic /proof)
rw_user (rw=2 on topic /proof)
Transforming both users into superusers:
ro_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
rw_user subscribe /proof and ro_user publishes "hello" in /proof -> OK. Message delivered.
ro_user subscribe /proof and ro_user publishes "hello" in /proof -> OK. Message delivered.
rw_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
So, it seems that the problem should be in the ACL check module.
PS: I use the mysql backend
from mosquitto-auth-plug.
jpmens, the last one using the SQL query in the README
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw <= %d)
I have two users:
ro_user (rw=1 on topic /proof)
rw_user (both, rw=1 on topic /proof and rw=2 on topic /proof)
ro_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
rw_user subscribe /proof and ro_user publishes "hello" in /proof -> BAD. Message delivered, but it should't.
ro_user subscribe /proof and ro_user publishes "hello" in /proof -> BAD. Message delivered but it should'nt.
rw_user subscribe /proof and rw_user publishes "hello" in /proof -> OK. Message delivered.
Neither ro_user nor rw_user are super (they have super=0).
So... I'm completely lost :-(, I did not have errors when compiling the module. And logs does not seems to show something extrange. Seems like if %d value is not correct at runtime.
from mosquitto-auth-plug.
I will look at this carefully as soon as possible.
from mosquitto-auth-plug.
Thank you so much!!
ACL check is something that I do not need urgently as we are still developing some backend components. So... We will convert all users into superuses in the meanwhile.
Regards.
from mosquitto-auth-plug.
I'm using the following data:
mysql> select * from users;
+----+----------+---------------------------------------------------------------------+-------+
| id | username | pw | super |
+----+----------+---------------------------------------------------------------------+-------+
| 7 | sub | PBKDF2$sha256$901$P4OmgoAX9u2tbTgE$ZPyxbSQfTx8gGjYp/MW1rA19lqFx+2xt | 0 |
| 8 | pub | PBKDF2$sha256$901$PHRKQG7IUKW5qp4D$ABTuN7PJBfPdk/PByPN4LJVXn8h5ba/C | 0 |
+----+----------+---------------------------------------------------------------------+-------+
elect * from acls;
+----+----------+-------------------+----+
| id | username | topic | rw |
+----+----------+-------------------+----+
| 13 | sub | s/+ | 1 |
| 14 | pub | s/+ | 2 |
+----+----------+-------------------+----+
sub
user subscribes tos/+
: OKpub
user (RW) publishes tos/one
: OK -> sub user receives itsub
user publishes tos/one
: Denied PUBLISH, which is correct.pub
user (RW) subscribes tos/+
: OK, which is correct (read and write)pub
user publishes tos/hello
: subscriber authenticated aspub
receives it: OK.
The problem was a typo in the README, I'm sorry about that. The configuration I'm using is
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw >= %d)
from mosquitto-auth-plug.
Whow!!! what a silly mistake. Thank you so much. Now it works fine. I've proved 100.000 different options, have recompiled the module... but I did not tought the query of the README was incorrect. Nobody have reported this bad operation til now???
Thank you so much jpmens, I'm configuring a complex bridged MQTT infrastructure and this removes part of the problems I'm having.
Good job!!
from mosquitto-auth-plug.
Related Issues (20)
- ACL issue with JWT backend HOT 2
- Inconsistencies between HTTP and JWT code & configuration HOT 3
- Merge be-http and be-jwt into one
- conf->hostname might be uninitialized in be_jwt_init() HOT 2
- ACL issue with %d placeholder - MySQL backend HOT 4
- Compilation Error HOT 1
- Compilation Error config.h: No such file or directory HOT 19
- problem with sizeof HOT 1
- Compile error with Mosquitto 1.5.5 and latest Auth-plug version HOT 2
- Websocket error: connection was lost (verbose output) HOT 4
- given the current vesion of Auth-plug, what version of mosquitto and libwebsockets should I install? HOT 1
- Fact that a user is superuser is not cached HOT 1
- mysql problem acl SUB/PUB HOT 1
- Cannot Load Auth plug-Error HOT 8
- mosquitto_client_id: symbol not found HOT 5
- Failed to create file named auth-plug.so
- Segmentation fault with BE_PSK and postgres backend HOT 1
- HTTP backend doesn't connect, instead rejects subscriptions HOT 1
- HTTP backend not calling api HOT 1
- Issue subscribing with wildcard in MongoDB and maybe MySQL HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mosquitto-auth-plug.