Trouble with auth.mysql.acl_query
meehab opened this issue · comments
Almost there with setting up EMQ to help power an Amazon Alexa skill I'm building.
I have user authentication against a MySQL DB working but ACL is failing for me with the following report in error.log when a user attempts to subscribe (or publish) to a topic;
2017-04-05 09:45:06.071 [error] <0.1221.0> gen_server <0.1221.0> terminated with reason: no case clause matching [] in esockd_cidr:parse/2 line 55
2017-04-05 09:45:06.071 [error] <0.1221.0> CRASH REPORT Process <0.1221.0> with 0 neighbours exited with reason: no case clause matching [] in esockd_cidr:parse/2 line 55 in gen_server2:terminate/3 line 1157
2017-04-05 09:45:06.071 [error] <0.1163.0> Supervisor 'esockd_connection_sup - <0.1163.0>' had child connection started with emqttd_client:start_link([{client_idle_timeout,30000},{client_enable_stats,false},{max_clientid_len,1024},{max_packet_size,...}]) at <0.1221.0> exit with reason no case clause matching [] in esockd_cidr:parse/2 line 55 in context connection_crashed
To me, that looks like the ACL query is returning an empty result. Here's the relevant line from my emq_auth_mysql.conf file;
## ACL Query Command
auth.mysql.acl_query = select allow, ipaddress, proxyuser, amzUID, access, topic from squeezebox where proxyuser = '%u' or proxyuser = '%all'
## ACL nomatch
auth.mysql.acl_nomatch = deny
I have updated the query with my own table and field names and I know this query works as if I take it into MySQL workbench, it works fine, returning the expected record.
If I access the broker with a superuser account, publish and subscribe work fine (as expected as this bypasses ACL).
I've tried this with multiple MQTT clients etc. to rule out possible issues with defective implementations.
Anything else I can look into?
Thanks in advance
(originally reported in google support group: https://groups.google.com/forum/#!topic/emqtt/tCynP8-FNTI)
@emqplus That's the problem. I had an empty ipaddress field but it was '', not NULL.
Now I just have to figure this one out;
2017-04-05 10:59:18.480 [error] <0.1286.0>@emqttd_protocol:process:254 Client(MQTT_FX_Client@xx.xx.40.97:17220): Cannot SUBSCRIBE [{<<"/habtunes/meep">>,[{qos,0}]}] for ACL Deny
The Access Control Module will match ACL rows returned from DB one by one. Deny if no match:
## ACL nomatch
auth.mysql.acl_nomatch = deny
Thanks @emqplus
I understand how it should work, but there seems to be something else wrong.
This returns the error as listed above;
## ACL Query Command
auth.mysql.acl_query = select allow, ipaddress, proxyuser, amzUID, access, topic from squeezebox where proxyuser = '%u'
but running this query in workbench returns the expected row;
select allow, ipaddress, proxyuser, amzUID, access, topic from squeezebox where proxyuser = 'meep'
Why would the Access Control Module fail to match when %u = 'meep'? Is there a special format for the topic field? Does it need to be URL encoded, escaped or otherwise marked up?
Thanks
Match if %u = 'meep' and %c = '8AEL5ZEgx923'
Thanks again. I see now that BOTH %u and %c must be defined and matching for ACL to work It would be helpful to update the documentation with this information.