search

eclipse-mosquitto / mosquitto

Eclipse Mosquitto - An open source MQTT broker
https://mosquitto.org
Other
9.06k stars 2.39k forks source link

[dynsec] mosquitto duplicates entries (clients/roles/...) from dynamic-security.json #2601

Closed AnotherCodeArtist closed 2 years ago

AnotherCodeArtist commented 2 years ago

I'm using docker image eclipse-mosquitto:2.0.14-openssl, which should be pretty recent, nevertheless, I get the following result:

Although entries in the dynamic-securty.json are unique, mosquitto_ctrl returns duplicates for each entry, like:

> mosquitto_ctrl -u cedalo  dynsec listRoles
cedalo
cedalo
kafka
kafka
sensor1
sensor1
streamsheets
streamsheets
telegraf
telegraf

Which means, that these entries are also shown in the management center:

grafik

There's a similar issue (#2470) reporting that also entries in the config file get duplicated. This, however, seems to be fixed in 2.0.14 (at least it did not happen in the last 15 minutes in my installation).

ralight commented 2 years ago

I've tried to duplicate this but haven't had any luck so far. Do you have any hints on anything I might be missing?

AnotherCodeArtist commented 2 years ago

I've deployed eclipse-mosquitto:2.0.14-openssl along with a self-crafted version of cedalo management center image (since the official one is not current) as separate pods in kubernetes. In the mosquitto pod, paths /mosquitto/data and /mosquitto/config are bound to a persistent volume. The config file (mosquitto.conf) is:

listener 1883

persistence true
persistence_location /mosquitto/data/

plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json

# MQTT over TLS/SSL
listener 8883
protocol mqtt
require_certificate false
#cafile C:\Dati\mosquitto\ca.crt
certfile /certs/tls.crt
keyfile /certs/tls.key
plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json

The /mosquitto/data therefore also holds a file called mosquitto.db. Could it be that this database also contains (outdated?) client and role information since this file survived the replacement of the container image? Or is there some other place where a cached security configuration could be found?

ralight commented 2 years ago

Thank you, that was very helpful. The problem is down to the duplicate loading of the dynamic security plugin. It is currently only possible for a plugin that uses $CONTROL messages, such as dynsec, to be loaded once, but the dynsec plugin wasn't catching that error.

In your case, just remove the duplicate plugin entries and it will be fixed. I'll get the code fixed.

ralight commented 2 years ago

For the 2.0.15 release duplicate plugins are disabled. For 2.1.0 I'll try to think of a different solution.