When I looked into /log/console.config, it gives an error of
2022-03-31 11:33:00.326 [error] <0.508.0> can't load acl file "/opt/scats/vernemq/vmqscats.acl" due to enoent
2022-03-31 11:33:02.569 [debug] <0.270.0>@vmq_swc_store:handle_info:464 Replica meta5: Can't initialize AE exchange due to no peer available
2022-03-31 11:33:03.464 [debug] <0.306.0>@vmq_swc_store:handle_info:464 Replica meta9: Can't initialize AE exchange due to no peer available
If disabled ACL
plugins.vmq_acl=off
-e âDOCKER_VERNEMQ_PLUGINS__VMQ_ACL=offâ
Then, I do not an error of canât load acl file â/opt/scats/vernemq/vmqscats.aclâ due to enoent
But my Java client can not connect to VerneMQ Broker. I get an error of vernemq get an error of Connection lost (32109) - java.net.SocketException: Connection reset 32109
If I set allow_anonymous=on or -e âDOCKER_VERNEMQ_ALLOW_ANONYMOUS=onâ work fine
Here is content in my vmqscats.passwd file
advancecomsumer:$6$36ANp3jy/QTSSWXk$uFR3B8I+Zd7VxxNxTktZYl46u/UgHjgulIfmsbplvghTk6ta46qwBY8rj3XPjmBriOXu3hrQKDFyp497WTW0Rw==
traff:$6$dxIm3XSMWN0r5kAb$CQkOORBdGXbmdeheBgmknD7B5S8q6Y5N/caR7jrC5V94sOAlPd92s2kI6f2vCCdEUTKPb9Fy82i73jC2my1Vgg==
advancepublisher:$6$2xVtiZnpvs7hruAJ$CiHDn4utZy0VyQCpRmWjg4jf8VTXuNSbHBIdMkuPauM6/wKjf7VeaZNCK/CYQ7l8pSaZVcdX+Iof70Dac1T/wQ==
Here is my Java Client code
mqttClient = new MqttClient(brokerURL, clientId, persistence);
connOpts = new MqttConnectionOptions();
connOpts.setCleanStart(true); //no persistent session
connOpts.setKeepAliveInterval(180);
connOpts.setKeepAliveInterval(15);
connOpts.setConnectionTimeout(180);
connOpts.setAutomaticReconnect(true);
VerneMQ has Authentication plugins, and Authorization plugins.
Authentication implements the auth_on_register hook.
Authorization implements the auth_on_publish and the auth_on_subscribe hooks.
A plugin can also implement all 3 hooks; it is then an Authentication&Authorization plugin.
vmq.passwd is an example of an Authentication plugin. vmq_acl is an example of an Authorization plugin.
You can switch off Authentication (by setting allow_anonymous=on) but you can never switch off Authorization. That is, you need at least 1 Authorization plugin running.
In your case the request fails because there is no Authorization plugin running.
Thank you for your explanation.
I can now connect with Authentication and Authorization.
If I put topic # only in my vmqscats.acl file all ava clients can and MQTT Explorer tool can public and subcribe.
However if update vmqscats.acl file to contains the following entries list below, my Java client which login as advancecomsumer can Authentication correclty but can not subscribe message from topics sp/moc/#.
Can you please let me know what I am doing wrong.
Thank you for your help and support.
Regards, Bao
==== vmqscats.acl ======
user âscatsadminâ
topic read #
user âadvancepublisherâ
topic read|write sp/moc/#
It seems it does a bad job explaining file based ACLs?
Therefore, let me comment on you example:
==== vmqscats.acl ====== â invalid comment line
user âscatsadminâ / user âadvancepublisherâ / user âadvancecomsumerâ â invalid username, do not use quotes
topic read|write sp/moc/# â read|write is not a valid format. Use read or write. If you want both read and write to apply, you can write topic sp/moc/#!
topic read sp/moc/#forum-announcements â not a valid topic format. You can only use # as the last topic level.
You also miss an ACL for anonymous users (or all users). It should be added before the user ACLs.
Hereâs your example in a format that should work:
topic read unusedtopic
user scatsadmin
topic read #
user advancepublisher
topic sp/moc/#
user advancecomsumer
topic read sp/moc/forum-announcements/#
Thank you very much for quick and value reply.
I am able to Java publish and subscribe applications connect to secure VerneMQ Broker with Authentication and Authorization eable using file base,
Thank you very much for your wonderful help
Can you please advise secure VerneMQ Broker cluster ( 3 instances) using file base, should I mount vmq.passwd and vmq_acl files in central location for VerneMQ Broker cluster to use?