Trouble with auth.mysql.acl_query

Question

Trouble with auth.mysql.acl_query

meehab opened this issue 7 years ago · comments

Almost there with setting up EMQ to help power an Amazon Alexa skill I'm building.

I have user authentication against a MySQL DB working but ACL is failing for me with the following report in error.log when a user attempts to subscribe (or publish) to a topic;

2017-04-05 09:45:06.071 [error] <0.1221.0> gen_server <0.1221.0> terminated with reason: no case clause matching [] in esockd_cidr:parse/2 line 55
2017-04-05 09:45:06.071 [error] <0.1221.0> CRASH REPORT Process <0.1221.0> with 0 neighbours exited with reason: no case clause matching [] in esockd_cidr:parse/2 line 55 in gen_server2:terminate/3 line 1157
2017-04-05 09:45:06.071 [error] <0.1163.0> Supervisor 'esockd_connection_sup - <0.1163.0>' had child connection started with emqttd_client:start_link([{client_idle_timeout,30000},{client_enable_stats,false},{max_clientid_len,1024},{max_packet_size,...}]) at <0.1221.0> exit with reason no case clause matching [] in esockd_cidr:parse/2 line 55 in context connection_crashed

To me, that looks like the ACL query is returning an empty result. Here's the relevant line from my emq_auth_mysql.conf file;

## ACL Query Command
auth.mysql.acl_query = select allow, ipaddress, proxyuser, amzUID, access, topic from squeezebox where proxyuser = '%u' or proxyuser = '%all'

## ACL nomatch
auth.mysql.acl_nomatch = deny

I have updated the query with my own table and field names and I know this query works as if I take it into MySQL workbench, it works fine, returning the expected record.

If I access the broker with a superuser account, publish and subscribe work fine (as expected as this bypasses ACL).

I've tried this with multiple MQTT clients etc. to rule out possible issues with defective implementations.

Anything else I can look into?

Thanks in advance

(originally reported in google support group: https://groups.google.com/forum/#!topic/emqtt/tCynP8-FNTI)

Feng Lee · Answer 1 · Wed Apr 05 2017 18:55:00 GMT+0800 (China Standard Time)

@meehab Please check the ipaddress field, which value should be null, not "".

meehab · Answer 2 · Wed Apr 05 2017 19:05:00 GMT+0800 (China Standard Time)

@emqplus That's the problem. I had an empty ipaddress field but it was '', not NULL.

Now I just have to figure this one out;

2017-04-05 10:59:18.480 [error] <0.1286.0>@emqttd_protocol:process:254 Client(MQTT_FX_Client@xx.xx.40.97:17220): Cannot SUBSCRIBE [{<<"/habtunes/meep">>,[{qos,0}]}] for ACL Deny

Feng Lee · Answer 3 · Wed Apr 05 2017 19:12:25 GMT+0800 (China Standard Time)

The Access Control Module will match ACL rows returned from DB one by one. Deny if no match:

## ACL nomatch
auth.mysql.acl_nomatch = deny

meehab · Answer 4 · Wed Apr 05 2017 22:06:18 GMT+0800 (China Standard Time)

Thanks @emqplus

I understand how it should work, but there seems to be something else wrong.

This returns the error as listed above;

## ACL Query Command
auth.mysql.acl_query = select allow, ipaddress, proxyuser, amzUID, access, topic from squeezebox where proxyuser = '%u'

but running this query in workbench returns the expected row;

select allow, ipaddress, proxyuser, amzUID, access, topic from squeezebox where proxyuser = 'meep'

see here:

Why would the Access Control Module fail to match when %u = 'meep'? Is there a special format for the topic field? Does it need to be URL encoded, escaped or otherwise marked up?

Thanks

Feng Lee · Answer 5 · Thu Apr 06 2017 09:17:20 GMT+0800 (China Standard Time)

Match if %u = 'meep' and %c = '8AEL5ZEgx923'

meehab · Answer 6 · Thu Apr 06 2017 17:05:27 GMT+0800 (China Standard Time)

Thanks again. I see now that BOTH %u and %c must be defined and matching for ACL to work It would be helpful to update the documentation with this information.