ACL consistency
rjbaat opened this issue · comments
Hi, i have setup a EMQ node under docker.
And added the right EVN var to connect to mysql.
Also added the tables and filled some users.
When anonymous i cant connect. But when using the right user and credentials i can.
but then i have setup some ACL rules. But the system doest apply them correctly.
Since i have added -e EMQ_AUTH__MYSQL__ACL_NOMATCH="deny" all the not matching topics should return a deny, but it isnt. I can pub/sub to all even if there is no ACL rule at all.
docker run -d \
--name emq1 \
-p 18083:18083 \
-p 1883:1883 \
-p 8883:8883 \
-p 4369:4369 \
-p 6000-6020:6000-6020 \
-e EMQ_ADMIN_PASSWORD=**** \
-e EMQ_MQTT__ALLOW_ANONYMOUS=false \
-e EMQ_LOADED_PLUGINS="emq_auth_mysql,emq_recon,emq_modules,emq_retainer,emq_dashboard" \
-e EMQ_AUTH__MYSQL__SERVER=**** \
-e EMQ_AUTH__MYSQL__USERNAME=db_user \
-e EMQ_AUTH__MYSQL__PASSWORD=****\
-e EMQ_AUTH__MYSQL__DATABASE=db_name \
-e EMQ_AUTH__MYSQL__ACL_NOMATCH="deny" \
-e EMQ_AUTH__MYSQL__PASSWORD_HASH=plain \
-e EMQ_AUTH__MYSQL__AUTH_QUERY="SELECT password FROM mqtt_user WHERE username = '%u' LIMIT 1" \
-e EMQ_AUTH__MYSQL__SUPER_QUERY="select is_superuser from mqtt_user where username = '%u' limit 1" \
-e EMQ_AUTH__MYSQL__ACL_QUERY="select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'" \
-e EMQ_NAME="emq1" \
-e EMQ_HOST="127.0.0.1" \
emq:latest
What is going wrong?
I have build it following this guide: https://github.com/emqtt/emq-docker.
Change your EMQ_AUTH__MYSQL__ACL_NOMATCH
to EMQ_MQTT__ACL_NOMATCH
and try again.
I'm sorry the doc is outdated. I'll update it soon.
Ah yes, i will try that! I crossed my mind aswell. Because i didnt see the param back in the log so it wasn't picked up on start.
I have installed the latest 3.0.0 EMQTT broker.
With the same table as above.
I can authenticate it with the table but the ACL is not working correctly. I can connect to all topics.
I have added the variable: EMQX_MQTT__ACL_NOMATCH = 'deny" but that isn't picked up i think. I don't see it in the logs. What do i do wrong?
Sorry, @rjbaat , the last comment you gave us is too old. Could you please provide the etc/emqx.conf
and the log file which could help use solve your problem.
Well i started EMQX with the latest downloaded Docker img. I had it setup with the ENV:
EMQX_MQTT__ACL_NOMATCH: "deny" like stated before.
But i don't think its picked up.
I don't use a etc/emqx.conf. Since i use docker with ENV.
i have downloaded the file from the docker container. Its just the default since i didn't change anything. Only using ENV in docker command.
emqx.conf.txt
And i see there is this part:
## Allow or deny if no ACL rules matched.
##
## Value: allow | deny
acl_nomatch = allow
How to overwrite this with the correct ENV?
EDIT
Tested with: EMQX_ACL_NOMATCH: "deny" and that gets picked up because is see it in the docker lig. But it doesn't work. It still possible to pub sub to all topics. I have also tried to remove all the first 7 rows from mysql. And have set the 1st row to deny.
@gilbert-wong do you have an idea what else can be wrong?
What tried now it is to add an extra ENV and pointed it to a non existing file:
EMQX_ACL_FILE: "etc/not-available.conf"
This time it looks like EMQ is respecting the variable:
EMQX_ACL_NOMATCH: "deny"
So have your problem been resolved?
I just encountered the same issue (but with the PGSQL auth plugin). The local ACL file is evaluated before the SQL auth plugin and as the last rule of the default acl file is "{allow, all}", the rules in the database are not evaluated.
Setting the environment variable EMQX_ACL_FILE to a non-existing file like @rjbaat did or to "/dev/null" fixes the issue.
EMQX_ACL_NOMATCH: "deny"
is not work for publish with the latest docker image. It has been wroted to emqx.conf in container. But has no effect.
if enable_acl_cache = on you need to free the cache.