OnClientAuthorize exhook is never invoked

[waj334]

What happened?

I disabled all of the other authz plugins (just the file based plugin was enabled by default) thinking that it would have no other choice but to use exhook for authorization requests, but it seems that it will always the use default action instead.

What did you expect to happen?

I expected the broker to fallback to the registered client.authorize exhook before defaulting to the default action set in the configuration.

How can we reproduce it (as minimally and precisely as possible)?

1. Disable all authz plugins
2. Add an exhook that implements OnClientAuthorize
3. Subscribe and/or publish to a topic

Anything else we need to know?

My gRPC handler implements:

1. OnProviderLoaded: Responds with {Name: "client.authenticate"}, {Name: "client.authorize"}
2. OnClientAuthenticate: Allows all for now
3. OnClientAuthorize: Also allows all for now

I am testing the broker using emqtt_bench:
./emqtt_bench pub -t /devices/test/events -h localhost -p 1883 -s 16 -q 0 -c 10 -I 10

1s pub total=254 rate=251.98/sec
1s connect_succ total=5 rate=4.96/sec
2s pub total=926 rate=672.00/sec
2s connect_succ total=9 rate=4.00/sec
3s pub total=1909 rate=983.00/sec
3s connect_succ total=10 rate=1.00/sec

From the dashboard I can see only OnClientAuthenticate is the only hook that is invoked:

EMQX version

sysdescr  : EMQX
version   : 5.0.6
datetime  : 2022-08-23T02:14:22.676684500+00:00
uptime    : 27 minutes, 44 seconds

OS version

Docker container:
emqx/emqx:5.0.6

Log files

exhook.servers.1.ssl.enable = EMQX_EXHOOK__SERVERS__1__SSL__ENABLE = false
exhook.servers.1.url = EMQX_EXHOOK__SERVERS__1__URL = "http://emqx-adapter.device.svc.cluster.local:9000"
exhook.servers.1.name = EMQX_EXHOOK__SERVERS__1__NAME = emqx_adpater
rpc.port_discovery = EMQX_RPC__PORT_DISCOVERY = manual
log.file_handlers.default.enable = EMQX_LOG__FILE_HANDLERS__DEFAULT__ENABLE = false
log.console_handler.enable = EMQX_LOG__CONSOLE_HANDLER__ENABLE = true
cluster.k8s.suffix = EMQX_CLUSTER__K8S__SUFFIX = svc.cluster.local
cluster.k8s.address_type = EMQX_CLUSTER__K8S__ADDRESS_TYPE = hostname
cluster.k8s.service_name = EMQX_CLUSTER__K8S__SERVICE_NAME = emqx-headless
cluster.k8s.apiserver = EMQX_CLUSTER__K8S__APISERVER = "https://kubernetes.emqx.svc:443"
node.name = EMQX_NODE__NAME = emqx@10.1.5.115
authorization.sources = EMQX_AUTHORIZATION__SOURCES = []
authorization.cache.enable = EMQX_AUTHORIZATION__CACHE__ENABLE = false
authorization.deny_action = EMQX_AUTHORIZATION__DENY_ACTION = disconnect
authorization.no_match = EMQX_AUTHORIZATION__NO_MATCH = allow
Listener ssl:default on :8883 started.
Listener tcp:default on :1883 started.
Listener ws:default on :8083 started.
Listener wss:default on :8084 started.
Listener http:dashboard on :18083 started.
EMQX 5.0.6 is running now!

[HJianBo]

Sorry this is a bug, as authz rejects unmatched authorization requests. see: https://github.com/emqx/emqx/blob/master/apps/emqx_authz/src/emqx_authz.erl#L367-L380
We will fix it as soon as possible

[waj334]

Glad it's not because I'm crazy. Thanks for looking into this!

[HJianBo]

Close it due to 5.0.8 released