VerneMQ can't load acl file due to enoent

baoquach · March 31, 2022, 11:47am

Hi All

I am running VerneMQ Docker container with authorization and authentication using files from URL Auth using files - VerneMQ

My Docker container command is

docker run -p 1883:1883 -p 8888:8888 -e "DOCKER_VERNEMQ_LISTENER__TCP__ALLOWED_PROTOCOL_VERSIONS=3,4,5" -e "DOCKER_VERNEMQ_ACCEPT_EULA=yes" -e "DOCKER_VERNEMQ_ALLOW_ANONYMOUS=off" -e "DOCKER_VERNEMQ_PLUGINS__VMQ_PASSWD=on" -e "DOCKER_VERNEMQ_VMQ_PASSWD__PASSWORD_FILE=/opt/scats/vernemq/vmqscats.passwd" -e "DOCKER_VERNEMQ_VMQ_PASSWD__PASSWORD_RELOAD_INTERVAL=10" -e "DOCKER_VERNEMQ_PLUGINS__VMQ_ACL=on" -e "DOCKER_VERNEMQ_VMQ_ACL__ACL_FILE=/opt/scats/vernemq/vmqscats.acl" -e "DOCKER_VERNEMQ_VMQ_ACL__ACL_RELOAD_INTERVAL=10" -e "SHARED_SUBSCRIPTION_POLICY=prefer_local" -e "DOCKER_VERNEMQ_VMQ_WEBHOOKS__POOL_timeout=6000" -e "DOCKER_VERNEMQ_VMQ_WEBHOOKS.pool_timeout=60000" -e "DOCKER_VERNEMQ_LEVELDB__MAXIMUM_MEMORY__PERCENT=40" -e "DOCKER_VERNEMQ_LISTENER__TCP__DEFAULT__MAX_CONNECTIONS=200000" -e DOCKER_VERNEMQ_LOG__CONSOLE=both -e "DOCKER_VERNEMQ_LOG__CONSOLE__LEVEL=debug" -e "LOG_CONSOLE_FILE=/opt/scats/log/vernemq.log" -e "LOG_ERROR_FILE=/opt/scats/log/vernemq_error.log" -d vernemq/vernemq &

when I check “/etc/vernemq/vernemq.conf” inside VerneMQ Docker contains it shows correct arguements. Please vernemq.conf

########## Start ##########
vmq_webhooks.pool_timeout=60000
vmq_acl.acl_file=/opt/scats/vernemq/vmqscats.acl
log.console.level=debug
accept_eula=yes
vmq_acl.acl_reload_interval=10
leveldb.maximum_memory.percent=40
listener.tcp.allowed_protocol_versions=3,4,5
plugins.vmq_passwd=on
vmq_passwd.password_file=/opt/scats/vernemq/vmqscats.passwd
listener.tcp.default.max_connections=200000
log.console=both
vmq_webhooks.pool_timeout=6000
allow_anonymous=off
plugins.vmq_acl=on
vmq_passwd.password_reload_interval=10
erlang.distribution.port_range.minimum = 9100
erlang.distribution.port_range.maximum = 9109
listener.tcp.default = 172.17.0.2:1883
listener.ws.default = 172.17.0.2:8080
listener.vmq.clustering = 172.17.0.2:44053
listener.http.metrics = 172.17.0.2:8888
########## End ##########

When I looked into /log/console.config, it gives an error of

2022-03-31 11:33:00.326 [error] <0.508.0> can't load acl file "/opt/scats/vernemq/vmqscats.acl" due to enoent
2022-03-31 11:33:02.569 [debug] <0.270.0>@vmq_swc_store:handle_info:464 Replica meta5: Can't initialize AE exchange due to no peer available
2022-03-31 11:33:03.464 [debug] <0.306.0>@vmq_swc_store:handle_info:464 Replica meta9: Can't initialize AE exchange due to no peer available

my vmqscats.acl file contains one line
topic #

Can you please let know what I am doing wrong.

Thank you for your help and support.

baoquach · April 1, 2022, 9:29am

If disabled ACL
plugins.vmq_acl=off
-e “DOCKER_VERNEMQ_PLUGINS__VMQ_ACL=off”
Then, I do not an error of can’t load acl file “/opt/scats/vernemq/vmqscats.acl” due to enoent

But my Java client can not connect to VerneMQ Broker. I get an error of vernemq get an error of Connection lost (32109) - java.net.SocketException: Connection reset 32109
If I set allow_anonymous=on or -e “DOCKER_VERNEMQ_ALLOW_ANONYMOUS=on” work fine

Here is content in my vmqscats.passwd file
advancecomsumer:$6$36ANp3jy/QTSSWXk$uFR3B8I+Zd7VxxNxTktZYl46u/UgHjgulIfmsbplvghTk6ta46qwBY8rj3XPjmBriOXu3hrQKDFyp497WTW0Rw==
traff:$6$dxIm3XSMWN0r5kAb$CQkOORBdGXbmdeheBgmknD7B5S8q6Y5N/caR7jrC5V94sOAlPd92s2kI6f2vCCdEUTKPb9Fy82i73jC2my1Vgg==
advancepublisher:$6$2xVtiZnpvs7hruAJ$CiHDn4utZy0VyQCpRmWjg4jf8VTXuNSbHBIdMkuPauM6/wKjf7VeaZNCK/CYQ7l8pSaZVcdX+Iof70Dac1T/wQ==

Here is my Java Client code
mqttClient = new MqttClient(brokerURL, clientId, persistence);
connOpts = new MqttConnectionOptions();
connOpts.setCleanStart(true); //no persistent session
connOpts.setKeepAliveInterval(180);
connOpts.setKeepAliveInterval(15);
connOpts.setConnectionTimeout(180);
connOpts.setAutomaticReconnect(true);

        connOpts.setKeepAliveInterval(keepAliveInterval);
        
        String userId = config.getValue("userId");
        String password = config.getValue("password");

        if( userId != null && password != null ) {
            connOpts.setUserName(userId );
            connOpts.setPassword(password.getBytes());
        }

        iMqttToken = mqttClient.connectWithResult(connOpts); 
        iMqttToken.waitForCompletion();

Can you please let know what I am doing wrong.

Thank you for your help and support.
Regards, Bao

afa · April 1, 2022, 10:15am

VerneMQ has Authentication plugins, and Authorization plugins.

Authentication implements the auth_on_register hook.
Authorization implements the auth_on_publish and the auth_on_subscribe hooks.

A plugin can also implement all 3 hooks; it is then an Authentication&Authorization plugin.

vmq.passwd is an example of an Authentication plugin. vmq_acl is an example of an Authorization plugin.

You can switch off Authentication (by setting allow_anonymous=on) but you can never switch off Authorization. That is, you need at least 1 Authorization plugin running.

In your case the request fails because there is no Authorization plugin running.

baoquach · April 2, 2022, 12:46pm

Hi @afa

Thank you for your explanation.
I can now connect with Authentication and Authorization.
If I put topic # only in my vmqscats.acl file all ava clients can and MQTT Explorer tool can public and subcribe.

However if update vmqscats.acl file to contains the following entries list below, my Java client which login as advancecomsumer can Authentication correclty but can not subscribe message from topics sp/moc/#.

Can you please let me know what I am doing wrong.
Thank you for your help and support.

Regards, Bao

==== vmqscats.acl ======
user ‘scatsadmin’
topic read #

user ‘advancepublisher’
topic read|write sp/moc/#

user ‘advancecomsumer’
topic read sp/moc/#forum-announcements

afa · April 2, 2022, 1:43pm

Here’s the documentation: Auth using files - VerneMQ

It seems it does a bad job explaining file based ACLs?
Therefore, let me comment on you example:

==== vmqscats.acl ====== → invalid comment line

user ‘scatsadmin’ / user ‘advancepublisher’ / user ‘advancecomsumer’ → invalid username, do not use quotes

topic read|write sp/moc/# → read|write is not a valid format. Use read or write. If you want both read and write to apply, you can write topic sp/moc/#!

topic read sp/moc/#forum-announcements → not a valid topic format. You can only use # as the last topic level.

You also miss an ACL for anonymous users (or all users). It should be added before the user ACLs.
Here’s your example in a format that should work:

topic read unusedtopic
user scatsadmin
topic read #
user advancepublisher
topic sp/moc/#
user advancecomsumer
topic read sp/moc/forum-announcements/#

baoquach · April 3, 2022, 4:32am

Hi @afa

Thank you very much for quick and value reply.
I am able to Java publish and subscribe applications connect to secure VerneMQ Broker with Authentication and Authorization eable using file base,

Thank you very much for your wonderful help

Can you please advise secure VerneMQ Broker cluster ( 3 instances) using file base, should I mount vmq.passwd and vmq_acl files in central location for VerneMQ Broker cluster to use?

Thank you for your help and support.

Regards, Bao