Re: [mosquitto-dev] How do I have an admin user with ACLs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] How do I have an admin user with ACLs?

From: Slow Bro <slowbro904@xxxxxxxxx>
Date: Sat, 16 Feb 2019 17:19:24 -0500
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hmm. It's also failing in the same way when I try this rather benign textbook example, with standard username/password authentication and no TLS.

http://www.steves-internet-guide.com/topic-restriction-mosquitto-configuration/

Something seems to be very wrong on my server, but what? I'm using 1.4.15-2ubuntu0.1 amd64.

root@web01:/etc/mosquitto# cat passwd

Roger:$6$BwKxtlSqxegGlU+l$9NZzsHu3M0ae5wMAoMWnD8zdRjsSfiDXCB1dLLuHKv5iK8uFAzOm/GF+j9V1k+GFFBlMgmWtdBY2Kcj4IdTcxw==

slowbro:$6$kDHuQ2u9jH1msxII$J/9z7d+1j3EoH/L06Qd3tSz4Ng7RWNRWwex0HduuGHlEyBGdW3cyF+lTx2F3d3o6IiLLwJzR5EMBiHrT4ACCbg==

root@web01:/etc/mosquitto# cat mosquitto.conf

pid_file /var/run/mosquitto.pid

persistence true

persistence_location /var/lib/mosquitto/

allow_anonymous false

include_dir /etc/mosquitto/conf.d

root@web01:/etc/mosquitto# cat acls.txt

user Roger

topic readwrite house/P1/#

#Client settings

pattern readwrite house/%C/#

root@web01:/etc/mosquitto# cat conf.d/acl.conf

acl_file /etc/mosquitto/acls.txt

root@web01:/etc/mosquitto# cat conf.d/authentication.conf

password_file /etc/mosquitto/passwd

root@web01:/etc/mosquitto# cat conf.d/tls.conf

#cafile /etc/mosquitto/ca_certificates/ca.crt

#keyfile /etc/mosquitto/certs/server.key

#certfile /etc/mosquitto/certs/server.crt

#tls_version tlsv1.2

port 8883

#require_certificate true

#use_identity_as_username false

root@web01:/etc/mosquitto#

root@web01:~# mosquitto_sub --host mqtt01.example.com --port 8883 --username 'slowbro' --pw 'secret' --topic "house/testing/test" --id testing --debug --qos 1 --verbose

Client testing sending CONNECT

root@web01:~# mosquitto_sub --host mqtt01.example.com --port 8883 --username 'Roger' --pw 'secret' --topic "house/P1/test" --id testing --debug --qos 1 --verbose

Client testing sending CONNECT

Client testing received CONNACK

Client testing sending SUBSCRIBE (Mid: 1, Topic: house/P1/test, QoS: 1)

Client testing received SUBACK

Subscribed (mid: 1): 1

Client testing received PUBLISH (d0, q1, r1, m1, 'house/P1/test', ... (13 bytes))

Client testing sending PUBACK (Mid: 1)

house/P1/test Testing 1 2 3

root@web01:~#

Feb 16 22:06:08 web01 mosquitto[29660]: mosquitto version 1.4.15 (build date Wed, 13 Feb 2019 00:27:01 +0000) starting

Feb 16 22:06:08 web01 mosquitto[29660]: Config loaded from /etc/mosquitto/mosquitto.conf.

Feb 16 22:06:08 web01 mosquitto[29660]: Opening ipv4 listen socket on port 8883.

Feb 16 22:06:08 web01 mosquitto[29660]: Opening ipv6 listen socket on port 8883.

Feb 16 22:06:30 web01 mosquitto[29660]: New connection from 127.0.0.1 on port 8883.

Feb 16 22:06:30 web01 mosquitto[29660]: Socket error on client <unknown>, disconnecting.

Feb 16 22:06:31 web01 mosquitto[29660]: New connection from 127.0.0.1 on port 8883.

Feb 16 22:06:31 web01 mosquitto[29660]: Socket error on client <unknown>, disconnecting.

Feb 16 22:06:32 web01 mosquitto[29660]: New connection from 127.0.0.1 on port 8883.

Feb 16 22:06:32 web01 mosquitto[29660]: Socket error on client <unknown>, disconnecting.

Feb 16 22:07:48 web01 mosquitto[29660]: New connection from 127.0.0.1 on port 8883.

Feb 16 22:07:48 web01 mosquitto[29660]: New client connected from 127.0.0.1 as testing (c1, k60, u'Roger').

Feb 16 22:07:48 web01 mosquitto[29660]: Sending CONNACK to testing (0, 0)

Feb 16 22:07:48 web01 mosquitto[29660]: Received SUBSCRIBE from testing

Feb 16 22:07:48 web01 mosquitto[29660]: #011house/P1/test (QoS 1)

Feb 16 22:07:48 web01 mosquitto[29660]: testing 1 house/P1/test

Feb 16 22:07:48 web01 mosquitto[29660]: Sending SUBACK to testing

Feb 16 22:07:48 web01 mosquitto[29660]: Sending PUBLISH to testing (d0, q1, r1, m1, 'house/P1/test', ... (13 bytes))

Feb 16 22:07:48 web01 mosquitto[29660]: Received PUBACK from testing (Mid: 1)

Feb 16 22:07:49 web01 mosquitto[29660]: Socket error on client testing, disconnecting.

On Fri, Feb 15, 2019 at 2:50 PM Slow Bro <slowbro904@xxxxxxxxx> wrote:

I am using TLS client certificate authentication. I want unprivileged users to be able to read and write to topics whose root topic node is the serial number of the sending device. (For example, 42ce74c4/checkin_time.) And I need to have one privileged username/certificate which can read and write to any topic. I have require_certificate true, use_identity_as_username true, and allow_anonymous false.

I have the following pattern, which works fine by itself:

readwrite %u/#

I tried both above and below that pattern the following settings:

user mqtt01.example.com

topic readwrite #

Where mqtt01.example.com is the FQDN I typed in the CN when registering the server certificate.

When I do that the client certificate authentication totally fails. It keeps trying to connect and in the logs:

Socket error on client <unknown>, disconnecting

If I remove the user and topic entries it works. I can read and write to only my user’s topic. Nothing else. But I don’t have the ability to use an admin username/certificate which can read/write all topics. Help?

Configuration and tests below.

/etc/mosquitto/conf.d/acls.conf:
acl_file /etc/mosquitto/acls.txt


/etc/mosquitto/acls.txt:
pattern readwrite %u/#
user mqtt01.example.com
topic readwrite #


/etc/mosquitto/conf.d/tls.conf:
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
tls_version tlsv1.2
port 8883
require_certificate true
use_identity_as_username true


/etc/mosquitto/mosquitto.conf:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
allow_anonymous false
include_dir /etc/mosquitto/conf.d

Here's a test using only 'pattern readwrite %u/#' in acls.txt:
root@web01:/root/certs# mosquitto_sub --host mqtt01.example.com --port 8883 --topic "42ce74c4/test" --cafile /root/certs/ca.crt --cert /root/certs/42ce74c4.crt --debug --key /root/certs/42ce74c4.key --qos 1 --verbose
Client mosqsub|27727-web01 sending CONNECT
Client mosqsub|27727-web01 received CONNACK
Client mosqsub|27727-web01 sending SUBSCRIBE (Mid: 1, Topic: 42ce74c4/test, QoS: 1)
Client mosqsub|27727-web01 received SUBACK
Subscribed (mid: 1): 1
Client mosqsub|27727-web01 received PUBLISH (d0, q1, r0, m1, '42ce74c4/test', ... (13 bytes))
Client mosqsub|27727-web01 sending PUBACK (Mid: 1)
42ce74c4/test Testing 1 2 3
^C

I ran this on a second console to receive the "Testing 1 2 3" string above:
root@web01:~# mosquitto_pub --host mqtt01.example.com --port 8883 --topic "42ce74c4/test" --cafile /root/certs/ca.crt --cert /root/certs/42ce74c4.crt --debug --key /root/certs/42ce74c4.key --qos 1 --message "Testing 1 2 3"
Client mosqpub|27728-web01 sending CONNECT
Client mosqpub|27728-web01 received CONNACK
Client mosqpub|27728-web01 sending PUBLISH (d0, q1, r0, m1, '42ce74c4/test', ... (13 bytes))
Client mosqpub|27728-web01 received PUBACK (Mid: 1)
Client mosqpub|27728-web01 sending DISCONNECT
root@web01:~# 

So it works great.


Here, I added the user and topic settings to /etc/mosquitto/acls.txt and restarted the daemon:
root@web01:/root/certs# mosquitto_sub --host mqtt01.example.com --port 8883 --topic "42ce74c4/test" --cafile /root/certs/ca.crt --cert /root/certs/42ce74c4.crt --debug --key /root/certs/42ce74c4.key --qos 1 --verbose
Client mosqsub|27931-web01 sending CONNECT
Client mosqsub|27931-web01 sending CONNECT
Client mosqsub|27931-web01 sending CONNECT
^C
root@web01:/root/certs# 

So it's failing. In the logs:
Feb 15 19:35:26 web01 mosquitto[27929]: mosquitto version 1.4.15 (build date Wed, 13 Feb 2019 00:27:01 +0000) starting
Feb 15 19:35:26 web01 mosquitto[27929]: Config loaded from /etc/mosquitto/mosquitto.conf.
Feb 15 19:35:26 web01 mosquitto[27929]: Opening ipv4 listen socket on port 8883.
Feb 15 19:35:26 web01 mosquitto[27929]: Opening ipv6 listen socket on port 8883.
Feb 15 19:35:28 web01 mosquitto[27929]: New connection from 127.0.0.1 on port 8883.
Feb 15 19:35:28 web01 mosquitto[27929]: Socket error on client <unknown>, disconnecting.
Feb 15 19:35:29 web01 mosquitto[27929]: New connection from 127.0.0.1 on port 8883.
Feb 15 19:35:29 web01 mosquitto[27929]: Socket error on client <unknown>, disconnecting.
Feb 15 19:35:30 web01 mosquitto[27929]: New connection from 127.0.0.1 on port 8883.
Feb 15 19:35:30 web01 mosquitto[27929]: Socket error on client <unknown>, disconnecting.

Follow-Ups:
- Re: [mosquitto-dev] How do I have an admin user with ACLs?
  - From: Mikkel Kirkgaard Nielsen

References:
- [mosquitto-dev] How do I have an admin user with ACLs?
  - From: Slow Bro

Prev by Date: Re: [mosquitto-dev] MQTT 5 test release 1
Next by Date: Re: [mosquitto-dev] How do I have an admin user with ACLs?
Previous by thread: [mosquitto-dev] How do I have an admin user with ACLs?
Next by thread: Re: [mosquitto-dev] How do I have an admin user with ACLs?
Index(es):
- Date
- Thread

Breadcrumbs