aws-greengrass/aws-greengrass-nucleus

(ipc): User does not have permission to perform the requested action. AWS_ERROR_NO_PERMISSION(43)

Closed this issue · 3 comments

ArvinSpace commented

Describe the bug
在WSL2上安装的Ubuntu-20.04 版本2上初始化了Greengrass核心设备,然后本地发布自定义组件CoreCarControl使用IPC出错

To Reproduce
代码

try (GreengrassCoreIPCClientV2 clientV2 = GreengrassCoreIPCClientV2.builder().build()) {
  
} catch (Exception e) {
    if (e.getCause() instanceof UnauthorizedError) {
        outErrorLog("Unauthorized error while publishing to topic: " + updateDeltaTopic);
    } else {
        outErrorLog("Exception occurred when using IPC.");
    }
    e.printStackTrace();
    System.exit(1);
}

Actual behavior
日志

2023-05-24T10:30:09.751Z [INFO] (pool-2-thread-45) com.iot.aws.arvin.sample.CoreCarControl: shell-runner-start. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING, command=["java -Dfile.encoding=utf-8 -jar /greengrass/v2/packages/artifacts-unarchived/c..."]}
2023-05-24T10:30:09.758Z [DEBUG] (pool-2-thread-45) com.iot.aws.arvin.sample.CoreCarControl: Created process with pid 4415. {serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING}
2023-05-24T10:30:09.823Z [INFO] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stdout. UTF-8:中文测试. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.828Z [INFO] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stdout. thingName-----------:Local-USEast1-INDICarTBox_1-One-Basic-9001. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.928Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. Exception occurred when using IPC.. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. software.amazon.awssdk.crt.CrtRuntimeException: User does not have permission to perform the requested action. AWS_ERROR_NO_PERMISSION(43). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at software.amazon.awssdk.crt.eventstream.ClientConnection.connect(ClientConnection.java:174). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection.connect(EventStreamRPCConnection.java:92). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClientV2$Builder.build(GreengrassCoreIPCClientV2.java:1415). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at shadow.name.CoreCarControl.begin(CoreCarControl.java:64). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:09.929Z [WARN] (Copier) com.iot.aws.arvin.sample.CoreCarControl: stderr. at shadow.name.CoreCarControl.main(CoreCarControl.java:36). {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:10.937Z [INFO] (Copier) com.iot.aws.arvin.sample.CoreCarControl: Run script exited. {exitCode=1, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=RUNNING}
2023-05-24T10:30:10.944Z [INFO] (pool-2-thread-44) com.iot.aws.arvin.sample.CoreCarControl: shell-runner-start. {scriptName=services.com.iot.aws.arvin.sample.CoreCarControl.lifecycle.Run, serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING, command=["java -Dfile.encoding=utf-8 -jar /greengrass/v2/packages/artifacts-unarchived/c..."]}
2023-05-24T10:30:10.948Z [DEBUG] (pool-2-thread-44) com.iot.aws.arvin.sample.CoreCarControl: Created process with pid 4449. {serviceName=com.iot.aws.arvin.sample.CoreCarControl, currentState=STARTING}

Environment

  • OS: Ubuntu 20.04
  • JDK: 11.0.19
  • Nucleus version: 2.9.6

Additional context

核心设备物品名称是:Local-USEast1-INDICarTBox_1-One-Basic-9001

AWS组件aws.greengrass.clientdevices.Auth的配置

{
  "reset": [
    ""
  ],
  "merge": {
    "deviceGroups": {
      "formatVersion": "2021-03-05",
      "definitions": {
        "MyDeviceGroup": {
          "selectionRule": "thingName: Local-USEast1-INDICarTBox_1-One-Basic-* OR thingName: Local-USEast1-INDICarIVI_1-One-Basic-*",
          "policyName": "ClientDevicePolicy"
        }
      },
      "policies": {
        "ClientDevicePolicy": {
          "AllowConnect": {
            "statementDescription": "Allow client devices to connect.",
            "operations": [
              "mqtt:connect"
            ],
            "resources": [
              "*"
            ]
          },
          "AllowPublish": {
            "statementDescription": "Allow client devices to publish to all topics.",
            "operations": [
              "mqtt:publish"
            ],
            "resources": [
              "*"
            ]
          },
          "AllowSubscribe": {
            "statementDescription": "Allow client devices to subscribe to all topics.",
            "operations": [
              "mqtt:subscribe"
            ],
            "resources": [
              "*"
            ]
          }
        }
      }
    }
  }
}

自定义组件CoreCarControl的配置

sudo nano /workspace/component/recipes/com.iot.aws.arvin.sample.CoreCarControl-1.2.0.json
{
  "RecipeFormatVersion": "2020-01-25",
  "ComponentName": "com.iot.aws.arvin.sample.CoreCarControl",
  "ComponentVersion": "1.2.0",
  "ComponentDescription": "A component that with car controller by core devices.",
  "ComponentPublisher": "Arvin",
  "ComponentDependencies": {
    "aws.greengrass.Nucleus": {
      "VersionRequirement": "^2.9.6"
    },
    "aws.greengrass.ShadowManager": {
      "VersionRequirement": "^2.3.2"
    },
    "aws.greengrass.clientdevices.mqtt.Bridge": {
      "VersionRequirement": "^2.2.5"
    }
  },
  "ComponentConfiguration": {
    "DefaultConfiguration": {
      "accessControl": {
        "aws.greengrass.ShadowManager": {
          "com.iot.aws.arvin.sample.CoreCarControl:shadow:1": {
            "policyDescription": "Allows access to core devices' named shadows",
            "operations": [
              "aws.greengrass#GetThingShadow",
              "aws.greengrass#UpdateThingShadow"
            ],
            "resources": [
              "$aws/things/{iot:thingName}/shadow/name/car_control"
            ]
          }
        },
        "aws.greengrass.ipc.pubsub": {
          "com.iot.aws.arvin.sample.CoreCarControl:pubsub:1": {
            "policyDescription": "Allows access to core devices' named shadow updates",
            "operations": [
              "aws.greengrass#SubscribeToTopic"
            ],
            "resources": [
              "$aws/things/{iot:thingName}/shadow/name/car_control/update/delta",
              "$aws/things/{iot:thingName}/shadow/name/car_control/update/accepted"
            ]
          }
        }
      }
    }
  },
  "Manifests": [
    {
      "Platform": {
        "os": "linux"
      },
      "Artifacts": [
        {
            "URI": "s3://greengrass-component-artifacts-us-east-1-389628162885/com.iot.aws.arvin.sample.CoreCarControl/1.2.0/CoreCarControl.zip",
            "Unarchive": "ZIP"
        }
      ],
      "Lifecycle": {
        "Run": "java -Dfile.encoding=utf-8 -jar {artifacts:decompressedPath}/CoreCarControl/CoreCarControl.jar"
      }
    }
  ]
}

本地部署命令

sudo /greengrass/v2/bin/greengrass-cli deployment create \
  --recipeDir /workspace/component/recipes/ \
  --artifactDir /workspace/component/artifacts/com.iot.aws.arvin.sample.CoreCarControl/1.2.0/ \
  --merge "com.iot.aws.arvin.sample.CoreCarControl=1.2.0" \
  --update-config '{
    "com.iot.aws.arvin.sample.CoreCarControl": {
      "RESET": [""]
    }
  }'
MikeDombo commented

Please try:
sudo chmod 755 /greengrass && sudo chmod 755 /greengrass/v2

  • 👍1
  • 🎉1
ArvinSpace commented

Please try: sudo chmod 755 /greengrass && sudo chmod 755 /greengrass/v2

thx,It's work now.

kkurczewski commented

For the record, in my case this was caused by docker installed via snap. I had Java application inside docker and while daemon seemed to work app was crashing in runtime with error like above.

After I removed docker from snap and installed docker from apt problem disappeared. My wild guess is this is related to socket privileges of docker daemon (IPC socket?).