Can't authorize a publish with postgres
Closed this issue · 8 comments
I'm trying to implement auth postgres but I can't authorized publishes.
In a desperate attempt I did this:
-- import default hooks and cache logic
require "auth/auth_commons"
-- import shared database query logic
require "auth/postgres_cockroach_commons"
function auth_on_register(reg)
return auth_on_register_common(postgres, reg)
end
function auth_on_pub(pub)
return true
end
pool = "auth_postgres"
config = {
pool_id = pool,
}
postgres.ensure_pool(config)
hooks = {
auth_on_register = auth_on_register,
auth_on_publish = auth_on_pub,
auth_on_subscribe = auth_on_pub,
on_unsubscribe = auth_on_pub,
on_client_gone = auth_on_pub,
on_client_offline = auth_on_pub,
on_session_expired = auth_on_pub,
auth_on_register_m5 = auth_on_pub,
auth_on_publish_m5 = auth_on_pub,
auth_on_subscribe_m5 = auth_on_pub,
}but still I get
2021-04-14 11:41:59.467 [error] <0.2866.0>@vmq_mqtt_fsm:auth_on_publish:739 can't auth publish [<<"user2">>,{[],<<"b8:27:eb:09:b1:d3">>},1,[<<"devices">>,<<"B184">>,<<"616">>,<<"data">>],<<219,221,204,207,120,1,1,66,20,40,246>>,false] due to not_authorized
what am I missing? auth_on_register works but the others don't.
@mendess is it possible you run into the session cache? ACLs are cached upon connect, clients need to disconnect or administratively re-authorized to trigger a re-loading of ACLs.
I restarted vernemq multiple times, is that enough to evict the cache?
@mendess yes, as this will kill all sessions. But you could just disconnect and re-connect the client.
Is there a good way to debug this? I can't seem to make verne call my functions, I tried adding print statements and still had no success
@mendess do you have another authorization plugin before the Postgres one? have you disabled vmq_acl?
I don't think so, this is my vernemq.conf
allow_anonymous = off
allow_register_during_netsplit = off
allow_publish_during_netsplit = off
allow_subscribe_during_netsplit = off
allow_unsubscribe_during_netsplit = off
allow_multiple_sessions = off
coordinate_registrations = on
max_inflight_messages = 20
max_online_messages = 1000
max_offline_messages = 1000
max_message_size = 0
upgrade_outgoing_qos = off
listener.max_connections = 10000
listener.nr_of_acceptors = 10
listener.tcp.default = 0.0.0.0:8883
listener.vmq.clustering = 0.0.0.0:44053
listener.http.default = 0.0.0.0:8887
systree_enabled = on
systree_interval = 20000
graphite_enabled = off
graphite_host = localhost
graphite_port = 2003
graphite_interval = 20000
shared_subscription_policy = prefer_local
plugins.vmq_passwd = off
plugins.vmq_acl = off
plugins.vmq_diversity = on
plugins.vmq_webhooks = off
plugins.vmq_bridge = off
metadata_plugin = vmq_plumtree
vmq_acl.acl_file = ./etc/vmq.acl
vmq_acl.acl_reload_interval = 10
vmq_passwd.password_file = ./etc/vmq.passwd
vmq_passwd.password_reload_interval = 10
vmq_diversity.script_dir = ./share/lua
vmq_diversity.auth_postgres.enabled = on
vmq_diversity.postgres.host = localhost
vmq_diversity.postgres.port = 5432
vmq_diversity.postgres.user = postgres
vmq_diversity.postgres.password = postgres
vmq_diversity.postgres.database = vernemq_db
vmq_diversity.postgres.ssl = off
vmq_diversity.postgres.password_hash_method = crypt
vmq_diversity.auth_cockroachdb.enabled = off
vmq_diversity.cockroachdb.ssl = on
vmq_diversity.cockroachdb.password_hash_method = bcrypt
vmq_diversity.auth_mysql.enabled = off
vmq_diversity.mysql.password_hash_method = password
vmq_diversity.auth_mongodb.enabled = off
vmq_diversity.mongodb.ssl = off
vmq_diversity.auth_redis.enabled = off
vmq_bcrypt.pool_size = 1
log.console = file
log.console.level = info
log.console.file = ./log/console.log
log.error.file = ./log/error.log
log.syslog = off
log.crash = on
log.crash.file = ./log/crash.log
log.crash.maximum_message_size = 64KB
log.crash.size = 10MB
log.crash.rotation = $D0
log.crash.rotation.keep = 5
nodename = VerneMQ@127.0.0.1
distributed_cookie = vmq
erlang.async_threads = 64
erlang.max_ports = 262144
leveldb.maximum_memory.percent = 70
Okay, I'm sure now that my function is not being called at all, it's only called on client_gone
The ACLs stored in the database were not enough and since the default register method caches these I vernemq doesn't look at my functions only at it's cache