GithubHelp home page GithubHelp logo

ACL Ambigious about volantmq HOT 3 CLOSED

arihantdaga avatar arihantdaga commented on June 15, 2024
ACL Ambigious

from volantmq.

Comments (3)

troian avatar troian commented on June 15, 2024

  1. Auth subsystem designed to be flexible. The main idea is each listener may have own auth list and it's order. Generally, if two different auth backends can authenticate the same user with different credentials it's a security pothole. Such a case shall not be considered.
    If you have a user with rights to subscribe/publish to any topic (for example using simpleAuth) this user shall have a good password and other auth backends with this listener must not have the user with the same name.
    Regarding storing a reference to the auth backend: I'm not sure it is a good idea though it provides the right use case as you mentioned. I'll give this problem a little think.

  2. if e := s.permissions.ACL(s.id, "", pkt.Topic(), vlauth.AccessWrite); e != vlauth.StatusAllow that's a bug. The user should be in there.

from volantmq.

arihantdaga avatar arihantdaga commented on June 15, 2024

Hi @troian I tried to fix it here #169. Let me know your opinion.
Also because of this -

volantmq/cmd/volantmq/auth.go

Lines 38 to 40 in 99c21c3

func (a *simpleAuth) ACL(clientID, user, topic string, access vlauth.AccessType) error {
return vlauth.StatusAllow
}

Simple auth is always allowing by default. I think we'll have to do something if we want to block a user from pub/sub to any topic.
Also this caught my attention -

volantmq/connection/connection.go

Lines 925 to 930 in f15e5d9

case mqttp.QoS0: // QoS 0
// [MQTT-4.3.1]
// [MQTT-4.3.2-4]
// TODO(troian): ignore if publish permissions not validated
if err = s.publishToTopic(pkt); err != nil {
s.log.Error("Couldn't publish message",

This explains why my message passed through even if i set default of simpleAuth to StatusDeny. The message I was publishing was with QOS0
Shall i go ahead trying to fix this ?

from volantmq.

troian avatar troian commented on June 15, 2024

Yes, that's why it called simpleAuth. It is intended to do user/password authentication not pub/sub. So there is nothing to do with it. pub/sub filtering is up to more complex auth backends

Issue you mention is fixed in pr #168

from volantmq.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.