emqx_authz_mongodb - Mongo 6 - InvalidNamespace #9783
Comments
|
Hi, I'm facing the same issue.... need help Thanks |
mattiabenin
changed the title
mattiabenin
changed the title
|
Thanks for the report. I have tried to reproduce the issue but failed so far. Both Authentication and Authorization works when I set it up with MongoDB 6 (I use the docker image and start it like this Can you share your configuration for authentication and authorization? This might help me reproduce the issue and solve it. |
|
I think the "filter" parameters might be particularly relevant. |
|
In the authorization setting the filter is {"username":"${username}"} I attach configmap that I use for k8s. |
|
You are getting error code 73, codeName "InvalidNamespace" and errmsg "Failed to parse namespace element" back from the MongoDB server. I'm not 100% sure what this means but my googling indicates that this means that something is incorrectly formatted. See for example this https://stackoverflow.com/questions/60394055/invalid-namespace-specified-mongoose-save-collection . Can you check the .Values.mongo_uri string and anything else that you think could be formatted incorrectly? One thing that differs in my config (attached) compared to yours is that I have not configured a replica set but just a single server so the issue might be related to that. |
|
In your config it looks like one of the filters are broken between two lines. This looks a bit suspicious but I don't think this is the issue since the filter looks alright in the error message. |
|
Hi, I see in your cluster-override.conf.txt you use:
|
|
Thank you. I will try to reproduce the issue again with other values for those parameters. |
|
I have still not managed to reproduce this unfortunately. I have tried with replicaset, no_match = "deny", and have set up rules for a user to be both denied and allowed to publish and subscribe for different topics. All seems to work as expected when I publish to the different topics. When I publish to the denied topic I get the following in the I even verified on the MongoDB side that the right queries are sent for authentication and authorization. @mattiabenin You wrote in the issue report that you tested with EMQX 5.0.14. I did my test with a recent checkout of the master branch which is a few commits ahead of 5.014. I don't think anything has changed that affects this issue but I could have missed something. It would be great if you could test with the recent master and see if that makes any difference? If you don't want to build by yourself, there is a recent build for different platforms here: https://github.com/emqx/emqx/actions/runs/3958201321 Look under Artifacts in the bottom of the page. It is very difficult to find the problem if I can't reproduce it locally. If it is not fixed in the master branch you could try to simplify your environment (preferable with docker-compose or something that is easy for me to replicate) and describe in precise steps what I should to to reproduce the issue. Thank you for the collaboration. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I am facing same issue.
EMQX: 5.0.15 with MongoDB 6 Authentication & Authorization login OK with only admin user. General user (including readwrite permission) login failed. But afer login with admin user for DB mqtt ACL filter not working. EMQX: 5.0.15 journalctl -u emqx /var/log/emqx/emqx.log.1 |
|
@amin-is thanks for the information. Just to be sure that I recreate the exact same environment as you have when trying to reproduce the issue, can you also provide information about how you start MongoDB and the EMQX config that you use for authentication and authorization (if you configure using the web UI you can find the config in data/configs/cluster-override.conf). |
|
@amin-is I have tried to reproduce the problem with the exact same versions that you use EMQX: 5.0.15 and MongoDB: 6.0.4. I have also tried to set up MongoDB with an admin user and a normal read write user as you describe. EMQX can authenticate to the database with the admin user but not as the normal user (so this is similar to what you report). However, both authentication and authorization seems to work without any problem so something must still be different between our environments. I have also checked that the MongoDB command that EMQX is sending to MongoDB looks the same in my set up to the command that I can see is failing in your log file. Can you check your MongoDB logs? Maybe there is some problem with your MongoDB set up that causes the InvalidNamespace error? I run MongoDB in docker like this: And then connect to it with mongosh like this to add the documents and collections: Can you try to do the same and check if it is working? If it is working with this MongoDB set up then we can conclude that there is something that differs with your original MongoDB setup that causes the Authorization problem (in which case you can send me details about how you set up MongoDB so that I can reproduce the same set up). I believe that not being able to log in to MongoDB as a normal (non-admin user) is a separate issue that probably have to do with MongoDB changing how authentication works in version 5. I can investigate if that is the case but the Authorization problem seems more serious to me so I would really like to understand how to reproduce that so that it could be fixed. As I have written previously in this issue, the best would be if someone could provide a bullet proof way for reproducing this (e.g., a docker-compose file that can be used to recreate the issue). @mattiabenin @lucabrambilla00 have you made any progress with this issue or is this still a problem for you? |
|
@kjellwinblad I have try on my Debian 11 OS [EMQX: 5.0.15 + MongoDB: 6.0.4] without enabling MongoDB authorization in I short-out some error
My Finding is.. Waiting for Solutions... |
|
Hello, I have no good news, I tried with your build artifact and then I tried also with EMQX 5.0.15 with MongoDB 6.0.3-debian-11-r0 but I received same error. I see in the EMQX dashboard Authentication and Authorization connected. I try to connect to MongoDB with root users and with a DB users with read and write permission but I receive the same error code 73 (with default acl configuration "deny"). @kjellwinblad in your mongodb 6 do you configure backwards compatibility (setFeatureCompatibilityVersion)? |
Not explicitly at least. I use the official MongoDB Docker image started like this (so I only use default settings): @amin-is :
This, is very interesting. So what you are saying is that with "Debian 11 OS [EMQX: 5.0.15 + MongoDB: 6.0.4] without enabling MongoDB authorization in /etc/mongod.conf " both Authentication and Authorization works without problem but when authorization is enabled in |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Recurrence steps:
|
|
@lina50 Thank you for the clear instructions. |
|
I have managed to reproduce the issue now and am now working on finding a fix. The reason that I did not manage to reproduce it before is probably that I did not enable authentication in mongodb with the |
When configuring mongodb authorization the mongodb connector crashed
with the following error in the log file. The reason is that the
collection name that was sent to the mongodb connection was an atom.
This is fixed by making sure it is not an atom. An even better fix would
probably be to to figure out why the configuration data for the
connection has the collection stored as an atom and fix the issue at the
source.
2023-03-08T17:16:34.215523+01:00 [error] msg: query_mongo_error, mfa:
emqx_authz_mongodb:authorize/4, line: 95, peername: 127.0.0.1:53212,
clientid: client123, collection: mqtt_acl, filter: #{username =>
<<"emqx_u">>}, reason: {resource_error,#{msg => #{error =>
{error,{error_cannot_parse_response,{op_msg_response,#{<<"code">> =>
73,<<"codeName">> => <<"InvalidNamespace">>,<<"errmsg">> => <<"Failed to
parse namespace element">>,<<"ok">> => 0.0}}}},id =>
<<"emqx_authz_mongodb:3">>,name => call_query,request =>
{find,mqtt_acl,#{username => <<"emqx_u">>},#{}},stacktrace =>
[{mc_connection_man,reply,1,[{file,"mc_connection_man.erl"},{line,123}],
...]}, reason => exception}}, resource_id: <<"emqx_authz_mongodb:3">>
Fixes: emqx#9783
|
I have a PR with a fix here: #10098 |
This fixes a crash with an error in the log file (see below) that
happened when the MongoDB authorization module queried the database. The
reason is that the collection name that was sent to the mongodb
connection was an atom. This is fixed by making sure it is not an atom.
2023-03-08T17:16:34.215523+01:00 [error] msg: query_mongo_error, mfa:
emqx_authz_mongodb:authorize/4, line: 95, peername: 127.0.0.1:53212,
clientid: client123, collection: mqtt_acl, filter: #{username =>
<<"emqx_u">>}, reason: {resource_error,#{msg => #{error =>
{error,{error_cannot_parse_response,{op_msg_response,#{<<"code">> =>
73,<<"codeName">> => <<"InvalidNamespace">>,<<"errmsg">> => <<"Failed to
parse namespace element">>,<<"ok">> => 0.0}}}},id =>
<<"emqx_authz_mongodb:3">>,name => call_query,request =>
{find,mqtt_acl,#{username => <<"emqx_u">>},#{}},stacktrace =>
[{mc_connection_man,reply,1,[{file,"mc_connection_man.erl"},{line,123}],
...]}, reason => exception}}, resource_id: <<"emqx_authz_mongodb:3">>
Fixes: emqx#9783
|
PR merged into master so this will be fixed in the next release |
Environment
Description
I configure EMQX security authentication and authorization with MongoDB.
Authentication works correctly.
Authorization I see this error to logs when I try to subscribe an auth topic. I receive same error also when I try publish.
2023-01-16T16:50:38.418673+00:00 [error] clientid: mqttx_f4031173, collection: mqtt_acl_external, filter: #{username => <<"test">>}, line: 95, mfa: emqx_authz_mongodb:authorize/4, msg: query_mongo_error, peername: 10.206.0.5:14435, reason: {resource_error,#{msg => #{error => {error,{error_cannot_parse_response,{op_msg_response,#{<<"$clusterTime">> => #{<<"clusterTime">> => {mongostamp,1,1673887828},<<"signature">> => #{<<"hash">> => {bin,bin,<<179,150,62,241,200,75,160,112,75,109,68,138,84,57,24,11,192,39,234,118>>},<<"keyId">> => 7186970566845267971}},<<"code">> => 73,<<"codeName">> => <<"InvalidNamespace">>,<<"errmsg">> => <<"Failed to parse namespace element">>,<<"ok">> => 0.0,<<"operationTime">> => {mongostamp,1,1673887828}}}}},id => <<"emqx_authz_mongodb:3">>,name => call_query,request => {find,mqtt_acl_external,#{username => <<"test">>},#{}},stacktrace => [{mc_connection_man,reply,1,[{file,"mc_connection_man.erl"},{line,123}]},{mc_connection_man,read,4,[{file,"mc_connection_man.erl"},{line,34}]},{mc_worker_api,find,2,[{file,"mc_worker_api.erl"},{line,288}]},{poolboy,transaction,3,[{file,"poolboy.erl"},{line,84}]},{emqx_connector_mongo,on_query,3,[{file,"emqx_connector_mongo.erl"},{line,239}]},{emqx_resource_worker,apply_query_fun,7,[{file,"emqx_resource_worker.erl"},{line,639}]},{emqx_resource_worker,do_flush,2,[{file,"emqx_resource_worker.erl"},{line,459}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,1203}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,226}]}]},reason => exception}}, resource_id: <<"emqx_authz_mongodb:3">>
The document of collection:
{
"username": "test",
"permission": "allow",
"action": "all",
"topics": ["topicp1/topicp2"]
}
I try the same configuration with MongoDB version 4.4.X and it works all.
The text was updated successfully, but these errors were encountered: