Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

Closed
AnotherCodeArtist opened this issue Jul 27, 2022 · 4 comments
Labels
Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Bug
Milestone

Comments

@AnotherCodeArtist
Copy link

I'm using docker image eclipse-mosquitto:2.0.14-openssl, which should be pretty recent, nevertheless, I get the following result:

Although entries in the dynamic-securty.json are unique, mosquitto_ctrl returns duplicates for each entry, like:

> mosquitto_ctrl -u cedalo  dynsec listRoles
cedalo
cedalo
kafka
kafka
sensor1
sensor1
streamsheets
streamsheets
telegraf
telegraf

Which means, that these entries are also shown in the management center:

grafik

There's a similar issue (#2470) reporting that also entries in the config file get duplicated. This, however, seems to be fixed in 2.0.14 (at least it did not happen in the last 15 minutes in my installation).

@ralight
Copy link
Contributor

ralight commented Aug 5, 2022

I've tried to duplicate this but haven't had any luck so far. Do you have any hints on anything I might be missing?

@AnotherCodeArtist
Copy link
Author

I've deployed eclipse-mosquitto:2.0.14-openssl along with a self-crafted version of cedalo management center image (since the official one is not current) as separate pods in kubernetes.
In the mosquitto pod, paths /mosquitto/data and /mosquitto/config are bound to a persistent volume. The config file (mosquitto.conf) is:

listener 1883

persistence true
persistence_location /mosquitto/data/

plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json




# MQTT over TLS/SSL
listener 8883
protocol mqtt
require_certificate false
#cafile C:\Dati\mosquitto\ca.crt
certfile /certs/tls.crt
keyfile /certs/tls.key
plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json

The /mosquitto/data therefore also holds a file called mosquitto.db. Could it be that this database also contains (outdated?) client and role information since this file survived the replacement of the container image? Or is there some other place where a cached security configuration could be found?

@ralight
Copy link
Contributor

ralight commented Aug 16, 2022

Thank you, that was very helpful. The problem is down to the duplicate loading of the dynamic security plugin. It is currently only possible for a plugin that uses $CONTROL messages, such as dynsec, to be loaded once, but the dynsec plugin wasn't catching that error.

In your case, just remove the duplicate plugin entries and it will be fixed. I'll get the code fixed.

@ralight ralight added this to the 2.0.15 milestone Aug 16, 2022
@ralight ralight added the Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. label Aug 16, 2022
@ralight
Copy link
Contributor

ralight commented Aug 16, 2022

For the 2.0.15 release duplicate plugins are disabled. For 2.1.0 I'll try to think of a different solution.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Component: mosquitto-broker Status: Completed Nothing further to be done with this issue, it can be closed by the requestor or committer. Type: Bug
Projects
None yet
Development

No branches or pull requests

2 participants