401 status still let the client to pub/sub

[amirkheirabadi73]

In v2.3 for ACL, I am returning 401.but the client is still able to pub/sub.

[zsafder]

is this fix? as I am getting the same issue for v3.

[tigercl]

@zsafder Have you turned off anonymous access in emqx.conf? allow_anonymous = false is required if you want the server to deny access to users who are not authenticated.

[zsafder]

yes, allow_anonymous is false. Below is my docker run command. Kindly let me know what I am missing here.

docker run -d --name emqx -p 18083:18083 -p 1883:1883 \
-e EMQX_LOADED_PLUGINS="emqx_recon,emqx_retainer,emqx_management,emqx_dashboard,emqx_rule_engine,emqx_auth_http" \
-e EMQX_ZONE__INTERNAL__ENABLE_ACL=on \
-e EMQX_ZONE__INTERNAL__ALLOW_ANONYMOUS=false \
-e EMQX_ACL_CACHE_TTL=5m \
-e EMQX_AUTH__HTTP__AUTH_REQ="http://host.docker.internal:3000/emqx/auth" \
-e EMQX_AUTH__HTTP__AUTH_REQ__METHOD=get \
-e EMQX_AUTH__HTTP__AUTH_REQ__PARAMS="client_id=%c,username=%u,password=%P" \
-e EMQX_AUTH__HTTP__SUPER_REQ="http://host.docker.internal:3000/emqx/superuser" \
-e EMQX_AUTH__HTTP__SUPER_REQ__METHOD=get \
-e EMQX_AUTH__HTTP__SUPER_REQ__PARAMS="client_id=%c,username=%u,password=%P" \
-e EMQX_AUTH__HTTP__ACL_REQ="http://host.docker.internal:3000/emqx/acl" \
-e EMQX_AUTH__HTTP__ACL_REQ__METHOD=get \
-e EMQX_AUTH__HTTP__ACL_REQ__PARAMS="access=%A,username=%u,client_id=%c,ip_addr=%a,topic=%t" \
emqx/emqx:latest

[zsafder]

@tigercl waiting for your help, I am stuck there.

[HJianBo]

Hi @zsafder can you give me the precise version used? Is it v3.2.3?

[gmitaros]

I have same problem! Actually I checked also the logs from my http server and it never calls the ACL ap i!

[zsafder]

@tigercl it is 3.2.7

[zsafder]

What I have observed now, the client can able to publish a message and subscribe call return true by EMQX cluster but there is no topic created in the case of a 403 response. The solution we would like to achieve is the client should not able to publish/subscribe to the cluster.

[zsafder]

Ideally, I would like to send 403 code to client pub/sub requests. Can I do that? Or denial will be silent to clients? Currently, clients cannot able to do pub/sub but they are getting 200 response.

[HJianBo]

Ideally, I would like to send 403 code to client pub/sub requests. Can I do that?

Yes, you can. The emqx_auth_http will deny a PUB/SUB Request if response code is not 200

emqx-auth-http/src/emqx_acl_http.erl

Lines 57 to 65 in 20660de

	case check_acl_request(AclReq, ClientInfo1, Headers, HttpOpts, RetryOpts) of
	{ok, 200, "ignore"} -> ok;
	{ok, 200, _Body} -> {stop, allow};
	{ok, _Code, _Body} -> {stop, deny};
	{error, Error} ->
	?LOG(error, "Request ACL url ~s, error: ~p",
	[AclReq#http_request.url, Error]),
	ok
	end.

[zsafder]

thanks @tigercl and @HJianBo. It worked :)