(ipc): User does not have permission to perform the requested action. AWS_ERROR_NO_PERMISSION(43)
Closed this issue · 3 comments
Describe the bug
在WSL2上安装的Ubuntu-20.04 版本2上初始化了Greengrass核心设备,然后本地发布自定义组件CoreCarControl使用IPC出错
To Reproduce
代码
try (GreengrassCoreIPCClientV2 clientV2 = GreengrassCoreIPCClientV2.builder().build()) {
} catch (Exception e) {
if (e.getCause() instanceof UnauthorizedError) {
outErrorLog("Unauthorized error while publishing to topic: " + updateDeltaTopic);
} else {
outErrorLog("Exception occurred when using IPC.");
}
e.printStackTrace();
System.exit(1);
}
Actual behavior
日志
2023-05-24T10:30:09.751Z [INFO] (pool-2-thread-45) com.iot.aws.arvin.sample.CoreCarControl: shell-runner-start. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING, command=["java -Dfile.encoding=utf-8 -jar /greengrass/v2/packages/artifacts-unarchived/c..."]}
2023-05-24T10:30:09.758Z [DEBUG] (pool-2-thread-45) com.iot.aws.arvin.sample.CoreCarControl: Created process with pid 4415. {serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING}
2023-05-24T10:30:09.823Z [INFO] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stdout. UTF-8:中文测试. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.828Z [INFO] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stdout. thingName-----------:Local-USEast1-INDICarTBox_1-One-Basic-9001. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.928Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. Exception occurred when using IPC.. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. software.amazon.awssdk.crt.CrtRuntimeException: User does not have permission to perform the requested action. AWS_ERROR_NO_PERMISSION(43). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at software.amazon.awssdk.crt.eventstream.ClientConnection.connect(ClientConnection.java:174). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection.connect(EventStreamRPCConnection.java:92). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClientV2$Builder.build(GreengrassCoreIPCClientV2.java:1415). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at shadow.name.CoreCarControl.begin(CoreCarControl.java:64). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at shadow.name.CoreCarControl.main(CoreCarControl.java:36). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:10.937Z [INFO] (Copier) com.iot.aws.arvin.sample.CoreCarControl: Run script exited. {exitCode=1, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:10.944Z [INFO] (pool-2-thread-44) com.iot.aws.arvin.sample.CoreCarControl: shell-runner-start. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING, command=["java -Dfile.encoding=utf-8 -jar /greengrass/v2/packages/artifacts-unarchived/c..."]}
2023-05-24T10:30:10.948Z [DEBUG] (pool-2-thread-44) com.iot.aws.arvin.sample.CoreCarControl: Created process with pid 4449. {serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING}
Environment
- OS: Ubuntu 20.04
- JDK: 11.0.19
- Nucleus version: 2.9.6
Additional context
核心设备物品名称是:Local-USEast1-INDICarTBox_1-One-Basic-9001
AWS组件aws.greengrass.clientdevices.Auth的配置
{
"reset": [
""
],
"merge": {
"deviceGroups": {
"formatVersion": "2021-03-05",
"definitions": {
"MyDeviceGroup": {
"selectionRule": "thingName: Local-USEast1-INDICarTBox_1-One-Basic-* OR thingName: Local-USEast1-INDICarIVI_1-One-Basic-*",
"policyName": "ClientDevicePolicy"
}
},
"policies": {
"ClientDevicePolicy": {
"AllowConnect": {
"statementDescription": "Allow client devices to connect.",
"operations": [
"mqtt:connect"
],
"resources": [
"*"
]
},
"AllowPublish": {
"statementDescription": "Allow client devices to publish to all topics.",
"operations": [
"mqtt:publish"
],
"resources": [
"*"
]
},
"AllowSubscribe": {
"statementDescription": "Allow client devices to subscribe to all topics.",
"operations": [
"mqtt:subscribe"
],
"resources": [
"*"
]
}
}
}
}
}
}
自定义组件CoreCarControl的配置
sudo nano /workspace/component/recipes/com.iot.aws.arvin.sample.CoreCarControl-1.2.0.json
{
"RecipeFormatVersion": "2020-01-25",
"ComponentName": "com.iot.aws.arvin.sample.CoreCarControl",
"ComponentVersion": "1.2.0",
"ComponentDescription": "A component that with car controller by core devices.",
"ComponentPublisher": "Arvin",
"ComponentDependencies": {
"aws.greengrass.Nucleus": {
"VersionRequirement": "^2.9.6"
},
"aws.greengrass.ShadowManager": {
"VersionRequirement": "^2.3.2"
},
"aws.greengrass.clientdevices.mqtt.Bridge": {
"VersionRequirement": "^2.2.5"
}
},
"ComponentConfiguration": {
"DefaultConfiguration": {
"accessControl": {
"aws.greengrass.ShadowManager": {
"com.iot.aws.arvin.sample.CoreCarControl:shadow:1": {
"policyDescription": "Allows access to core devices' named shadows",
"operations": [
"aws.greengrass#GetThingShadow",
"aws.greengrass#UpdateThingShadow"
],
"resources": [
"$aws/things/{iot:thingName}/shadow/name/car_control"
]
}
},
"aws.greengrass.ipc.pubsub": {
"com.iot.aws.arvin.sample.CoreCarControl:pubsub:1": {
"policyDescription": "Allows access to core devices' named shadow updates",
"operations": [
"aws.greengrass#SubscribeToTopic"
],
"resources": [
"$aws/things/{iot:thingName}/shadow/name/car_control/update/delta",
"$aws/things/{iot:thingName}/shadow/name/car_control/update/accepted"
]
}
}
}
}
},
"Manifests": [
{
"Platform": {
"os": "linux"
},
"Artifacts": [
{
"URI": "s3://greengrass-component-artifacts-us-east-1-389628162885/com.iot.aws.arvin.sample.CoreCarControl/1.2.0/CoreCarControl.zip",
"Unarchive": "ZIP"
}
],
"Lifecycle": {
"Run": "java -Dfile.encoding=utf-8 -jar {artifacts:decompressedPath}/CoreCarControl/CoreCarControl.jar"
}
}
]
}
本地部署命令
sudo /greengrass/v2/bin/greengrass-cli deployment create \
--recipeDir /workspace/component/recipes/ \
--artifactDir /workspace/component/artifacts/com.iot.aws.arvin.sample.CoreCarControl/1.2.0/ \
--merge "com.iot.aws.arvin.sample.CoreCarControl=1.2.0" \
--update-config '{
"com.iot.aws.arvin.sample.CoreCarControl": {
"RESET": [""]
}
}'
Please try:
sudo chmod 755 /greengrass && sudo chmod 755 /greengrass/v2
Please try:
sudo chmod 755 /greengrass && sudo chmod 755 /greengrass/v2
thx,It's work now.
For the record, in my case this was caused by docker installed via snap. I had Java application inside docker and while daemon seemed to work app was crashing in runtime with error like above.
After I removed docker from snap and installed docker from apt problem disappeared. My wild guess is this is related to socket privileges of docker daemon (IPC socket?).