Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Questions about auth_on_publish hook #312

Closed
EnCl opened this issue Mar 17, 2017 · 15 comments

Comments

Projects
None yet
5 participants
@EnCl
Copy link

commented Mar 17, 2017

Environment

  • VerneMQ Version: 1.0.0rc2
  • OS:Linux Docker container

Expected behavior

  • I should be able to publish a message with a client authenticated with auth_on_register hook.

Actual behaviour

  • I can't publish a message with an authenticated client if auth_on_publish hook is not set

Details

I enabled the auth_on_register hook in my VerneMQ instance. When a MQTT client
connects to the VerneMQ there will be sent a POST message to an endpoint I use.
Then endpoint returns the 200 code and a JSON encoded payload like this:
{"result":"ok","modifiers":{"mountpoint":"newmountpoint","client_id":"1234567","clean_session":false,"max_message_size":65535,"max_message_rate":100,"max_inflight_messages":100,"retry_interval":100,"upgrade_qos":false}}

I want to publish a message using the same MQTT client which was previously authenticated by the auth_on_register hook.
If the auth_on_publish hook is not configured then I'm receiving an error "Client is not connected (32104)".

In the logs I see:

2017-03-17 11:07:33.860 [error] <0.448.0>@vmq_mqtt_fsm:auth_on_publish:651 can't auth publish [<<"ABC231">>,{[],<<"bf67a931a18640efb50d1cec4052fb22">>},2,[<<"AAA">>,<<"BBB">>,<<"CCC">>,<<"endpointid">>,<<"12345">>,<<"status">>],<<"online">>,false] due to no_matching_hook_found
2017-03-17 11:07:33.860 [warning] <0.448.0>@vmq_ranch:teardown:127 [<0.448.0>] session stopped abnormally due to 'publish_not_authorized_3_1_1'

If I configure the auth_on_publish hook then everything is fine and I can publish with success.

My question is:
Is auth_on_publish mandatory in order to publish a message
using a client already authenticated by the auth_on_register hook ?
Can we disable this ?

I want only one authentication using the auth_on_register hook and then be able to publish messages using this client.

Thank You

@ioolkos

This comment has been minimized.

Copy link
Contributor

commented Mar 17, 2017

Hi @EnCl
yes, the situation you describe is like that by design.

auth_on_register is authentication.
auth_on_publish is authorization.

For example, you might want to allow a client to register (and subscribe), but not publish.

So, yes, the auth_on_publish is mandatory, but if you really want to "disable" it, you can basically implement it and give back OKevery time to wave through every publish.

@EnCl

This comment has been minimized.

Copy link
Author

commented Mar 17, 2017

Hi @ioolkos

Thank you for your answer.

The name auth_on_publish is misleading. I thought this is also an authentication.
What you wrote above is documented somewhere ?
Besides what I can find http://vernemq.com/docs/plugindevelopment/webhookplugins.html#webhook-specs is there any other page where I can find details about the hooks ? In the near future I will need to use other hooks and I might have more questions.

@ioolkos

This comment has been minimized.

Copy link
Contributor

commented Mar 17, 2017

Strictly speaking, you are right, auth can implicitly refer to authentication and/or authorization in the naming of the hooks. I'll make a note to myself to add a note about that. Apologies for the resulting possible friction.

Other than the Webhooks guide, there is the general Plugin dev guide http://vernemq.com/docs/plugindevelopment/ which also applies to Webhooks.

Glad to hear about your future plans, we'll happily answer more questions about hooks anytime.

@EnCl

This comment has been minimized.

Copy link
Author

commented Mar 17, 2017

Ok, appreciate your help.

Closing issue.

@EnCl EnCl closed this Mar 17, 2017

@jeremylink

This comment has been minimized.

Copy link

commented Mar 20, 2017

I have a question about the "by design" comment.

This implies that if using WebHooks, then EVERY single message has to go to the HTTP server. Even if the server just issues an OK response, the latency being introduced here could be significant on a heavily loaded broker and HTTP server.

Is that right?

@ioolkos

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2017

Hi @jeremylink, thanks for your question.
Yes, you're correct. That's why there's also a cache for that... :) https://github.com/erlio/vernemq/blob/master/apps/vmq_webhooks/src/vmq_webhooks_cache.erl

@larshesel any more details needed on the cache?

@larshesel

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2017

Yes, the docs are here https://github.com/erlio/vernemq/tree/master/apps/vmq_webhooks#caching. I forgot to move them to vernemq.com - will try to get that done this week and add a little bit more detail.

@jeremylink

This comment has been minimized.

Copy link

commented Mar 20, 2017

Yeah, I remember seeing the bit about the cache and forgetting about it since it "wasn't" needed...

@larshesel

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2017

The cache docs have now been moved to the official docs: http://vernemq.com/docs/plugindevelopment/webhookplugins.html#caching

@ioolkos

This comment has been minimized.

Copy link
Contributor

commented May 23, 2018

@leopucci re-opening as per your request.

@ioolkos ioolkos reopened this May 23, 2018

@leopucci

This comment has been minimized.

Copy link

commented May 23, 2018

Thanks @ioolkos i was going to open another one as this is related to mysql, but as you´ve helped me, here it goes :)

Environment

  • VerneMQ Version: 1.3.0
  • OS: .el7.centos
  • Erlang/OTP version (if building from source):

plugins.vmq_diversity = on
plugins.vmq_acl = off
plugins.vmq_passwd = off
vmq_diversity.auth_mysql.enabled = on
vmq_diversity.mysql.host = 127.0.0.1
vmq_diversity.mysql.port = 3306
vmq_diversity.mysql.user = vernemq
vmq_diversity.mysql.password = vernemq
vmq_diversity.mysql.database = vernemq_db

Expected behavior

Be able to use auth_on_publish with mysql

Actual behaviour

Adding cache_insert - auth_on_publish hook is not called

cache_insert(
reg.mountpoint,
reg.client_id,
reg.username,
publish_acl,
subscribe_acl
)

Removing cache_insert (my intention) - auth_on_publish is called but return ok does not work.

-- cache_insert(
-- reg.mountpoint,
-- reg.client_id,
-- reg.username,
-- publish_acl,
-- subscribe_acl
-- )

So after removing the cache_insert, auth_on_publish begins being called, but it does not work.
It prints the log, but the publish is not made on the proper topic

function auth_on_publish(pub)
log.info("PUCCI AUTH_ON_PUBLISH")
return true
end

I want to be able to alter the message on lua, using auth_on_publish.
But as detailed, when the function is enabled, for some reason I can´t publish anything.. or maybe i can publish but i can´t subscribe to be able to read.
Any hints on some command that i can detail de publish and subscribe? The logs does not present a thing.

Thanks
Pucci

@leopucci

This comment has been minimized.

Copy link

commented May 23, 2018

Seems that i have solved..

I´ve disabled the unnecessary hooks. Seems that they were not so unnecessary.
After I´ve enabled them. Publish Subscribe began to work again

on_unsubscribe = on_unsubscribe,
on_client_gone = on_client_gone,
on_client_offline = on_client_offline

Thanks
Pucci

@leopucci

This comment has been minimized.

Copy link

commented May 23, 2018

Almost there..

Now i can acess the data, but cannot change the topic, message etc.

@leopucci

This comment has been minimized.

Copy link

commented May 23, 2018

So now i am being able to receive aut_on_publish info,

But i am not being able to alter the content..

Any lua tips?
Thanks Pucci

function auth_on_publish(pub)
if pub.topic == "TEST" then
--trying to change the content response...
pub.payload = "HELLO WORLD BACK"
pub.topic = "TESTNEW"
log.info("PUCCI AUTH_ON_PUBLISH - TOPIC TEST")
end
return true
end

@leopucci

This comment has been minimized.

Copy link

commented May 23, 2018

Solved: return {topic = "TESTNEW"}

@larshesel larshesel closed this May 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.