Cannot subscribe when using MQTT Over Websockets Over TLS

[akshayvaji]

getting below while trying to connect MQTT Over Websockets Over TLS

mosquitto_sub -h 127.0.0.1 -p 8084 -d -t testtopic -u test -P password
Client null sending CONNECT
Client null sending CONNECT
Client null sending CONNECT
Client null sending CONNECT
Client null sending CONNECT
Client null sending CONNECT
Client null sending CONNECT

[iegomez]

Sorry, that's too little information to so anything about it.

[akshayvaji]

#MQTT Over Websockets Over TLS
listener 8084
protocol websockets
certfile /etc/mosquitto/cert/crt.crt
cafile /etc/mosquitto/cert/pem.ca
keyfile /etc/mosquitto/cert/key.key
tls_version tlsv1.2
log_type debug
log_type error
log_type warning
log_type notice
log_timestamp true
autosave_interval 1800
allow_anonymous false
plugin /etc/mosquitto/go-auth.so
auth_opt_backends mysql
auth_opt_retry_count 5
auth_opt_mysql_allow_native_passwords true
auth_opt_mysql_dbname dbname
auth_opt_mysql_user username
auth_opt_mysql_password password
auth_opt_mysql_userquery select password_hash from test_user where username = ? limit 1
auth_opt_mysql_superquery select count(*) from test_user where username = ? and is_admin = 1
auth_opt_mysql_aclquery SELECT topic FROM test_acl WHERE (username = ?) AND rw = ?
auth_opt_log_level file
auth_opt_log_file /var/log/mosquitto-auth.log

I am able to connect with 1883 port with mqtt protocol, but not able to connect with websockets (wss). above is the configuration for wss.

[iegomez]

@akshayvaji I meant more like do you have any logs, what have you tried, do websockets over TLS work with plain Mosquitto (i.e., without the plugin), etc.

I'm sorry but I don't have the time to grab your configuration and try to run it to see if I hit any of the problems you may be facing. What I can do is point out something that looks odd, like for example you have auth_opt_log_level file in your conf, but that isn't right: log level is not the same as log destination. The options for the former are debug, info, warn, error, fatal, panic, and if none or a wrong one are provided, then it defaults to info, which is not too helpful to debug your issue. This is all documented in the README.

[akshayvaji]

@iegomez Thanks for pointing it out. But it did not help.

Added below into the conf.

auth_opt_log_level debug
auth_opt_log_dest file
auth_opt_log_file /var/log/mosquitto-auth.log

its shows data while connecting with 1883 Plain mosquitto as below, but nothing showing for websockets

ime="2022-12-29T08:44:48+08:00" level=debug msg="checking user Jasmine with backend Mysql"
time="2022-12-29T08:44:48+08:00" level=debug msg="user Jasmine authenticated with backend Mysql"
time="2022-12-29T08:44:48+08:00" level=debug msg="Superuser check with backend Mysql"
time="2022-12-29T08:44:48+08:00" level=debug msg="Acl check with backend Mysql"
time="2022-12-29T08:44:48+08:00" level=debug msg="user Jasmine acl authenticated with backend Mysql"
time="2022-12-29T08:44:48+08:00" level=debug msg="Acl is true for user Jasmine"

websockets over TLS work with plain Mosquitto (i.e., without the plugin), etc.

Yes, it worked without the plugin

[iegomez]

If it works with plain Mosquitto but not with the plugin, are you sure you're setting expected fields in your websocket client?
The broker may be more liberal about e.g. a null clientid, but the plugin is not in some cases: https://github.com/iegomez/mosquitto-go-auth/blob/master/auth-plugin.c#L132

I'm not saying that's the actual issue since, again, I can't debug your own app, but you might want to take a look at that given your original report mentioned Client null sending CONNECT.

[akshayvaji]

thanks for the reply, it's working now.

But I am now able to subscribe , but unable to publish for ACL-configured users

Denied PUBLISH from mqttx_e647dd95 (d0, q1, r1, m27149, 'Hiloo', ... (0 bytes))

4 -subscribe
2- write
1-read

Trying to restrict to specific topics for non-superusers.

how to authorize users to have publish privilege with the values mentioned above, I tired with 4,2 and 1 , No luck

[iegomez]

@akshayvaji I'd need to see the actual data you're trying to publish and your DB records to check if your ACL query is doing what it needs to do.

That said, this is most likely not an issue with the plugin and instead something specific to your app logic. So though I might help with spotting obvious errors, I must insist that you need to debug your app and only post an issue when you think there might be a real problem with the plugin. Dcos are up to date and there are plenty of closed issues that might be related, please try to go through those before when you hit a problem.

[akshayvaji]

@iegomez

What is the value we get for " ? " in the below query?

SELECT topic FROM acl WHERE (username = ?) AND rw = ?

what is passing as the argument? Able to subscribe, but still denying publishing

my Query - auth_opt_mysql_aclquery select test_acl.topic from test_acl join test_user on test_user_id=test_user.id where test_user.username = ? AND ( test_acl.rw = 3 OR test_acl.rw = ? )

[iegomez]

The positional arguments, i.e. the first ? is the username and the second is acc as given by Mosquitto depending on if the user is trying to read, publish or subscribe (see https://github.com/iegomez/mosquitto-go-auth#acl-access-values).

[akshayvaji]

@iegomez I tried value 4 , able to subscribe, but how to use both write and subscribe

When I use only write which is 2, I am not able to subscribe. No connection was made

[iegomez]

Again, I'd need to see how you modeled your data and the actual records you have, I can't guess what you're doing.

[akshayvaji]

@iegomez this is the data structure

mysql> SELECT * FROM test_user;
+----+----------+---------------------------------------------------------------------+-------+
| id | username | pw | super |
+----+----------+---------------------------------------------------------------------+-------+
| 1 | user1 | PBKDF2$sha256$901$x8mf3JIFTUFU9C23$Mid2xcgTrKBfBdye6W/4hE3GKeksu00+ | 1 |
| 2 | user | PBKDF2$sha256$901$XPkOwNbd05p5XsUn$1uPtR6hMKBedWE44nqdVg+2NPKvyGst8 | 0 |
+----+----------+---------------------------------------------------------------------+-------+

mysql> SELECT * FROM test_acl;
+----+----------+-------------------+----+
| id | username | topic | rw |
+----+----------+-------------------+----+
| 1 | user | topic/# | 4 |
| 2 | user | topic/# | 2 |
+----+----------+-------------------+----+

auth_opt_mysql_aclquery SELECT topic FROM test_acl WHERE (username = ?) AND rw = ?

Thanks

[iegomez]

I tried value 4 , able to subscribe, but how to use both write and subscribe
When I use only write which is 2, I am not able to subscribe. No connection was made

That should work just fine given you're trying to subscribe or write to topic/whatever with username user. If you're doing something else, then 🤷 cause your second sentence is not clear enough: do you mean when only having a record for 2 and not 4 you're unable to subscribe? Because that would be expected, but a connection being established or not shouldn't depend on it.

[akshayvaji]

@iegomez can I subscribe and publish? both together?

In my env, publish is only possible if its a superuser. Any idea ?

I am sorry for many questions

[iegomez]

You can do whatever your data allows you to do. What you're presenting shows an scenario where user may do both those actions in any topics following the topic/# pattern.

You really need to pull logs and do some serious debugging if you are experiencing issues with that data, we're just blindly guessing otherwise.

[akshayvaji]

@iegomez

Auth log

time="2023-01-10T10:35:30+08:00" level=debug msg="Acl check with backend Mysql"
time="2023-01-10T10:35:30+08:00" level=debug msg="Acl is false for user user"

mosquitto log

1673318123: Sending CONNACK to mqttx_e647dd95 (0, 0)
1673318123: Received SUBSCRIBE from mqttx_e647dd95
1673318123: topic/# (QoS 0)
1673318123: Sending SUBACK to mqttx_e647dd95
1673318130: Denied PUBLISH from mqttx_e647dd95 (d0, q0, r1, m0, 'Hiloo', ... (0 bytes))

No other details I am getting

[iegomez]

Sorry, not much I can do on my side but suggest a few debugging steps. Out of the top of my head:

• Maybe tweak the query to always accept any acc value to discard some issue there.
• Try a different version of Mosquitto with the same conf to see if that may have any part on the issue.
• Clone the repo and add some of your own logging to see what's being passed in every step of the check.
• Etc., etc., basically whatever you may come up with to narrow down the problem.

[akshayvaji]

@iegomez

Write means Publish right?

so If I apply value 2, it would publish ?

[iegomez]

Yes, publish means write.

[akshayvaji]

@iegomez

Subscription value 4 is working for me, so I think the sql query is correct. Since I am able to subscribe to the topic without any issues

Value 1 and 2 is not working, do you think its an issue with mosquitto ? I tried 2.0.14 and 2.0.15 version, getting the same error on both

Write and Read, its shows always "Denied PUBLISH from mqttx_e647dd95 (d0, q0, r1, m0, 'Hi MC', ... (0 bytes))"

Never granting write permission for the user, if its a superuser it works

[iegomez]

I don't know, maybe try a different backend to discard that option.
Btw, I'm going on vacation and won't be responding until February. Sorry and good luck.

[iegomez]

Were you able to fix your problem?
I'm doing some house cleaning on issues and would like to know if this is ready to be closed or needs more thought.