Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Mosquitto » Dynamic Security Plugin - persisting in-memory to config file
Dynamic Security Plugin - persisting in-memory to config file [message #1840954] Thu, 29 April 2021 08:31 Go to next message
Eclipse UserFriend
After enabling dynamic-security plugin, could add dynamically client, group, role and ACLs. New MQTT clients could also connect using these newly created client/user too.

But these dynamically created config using mosquito_ctrl doesn't get persisted. After restart of the broker all the dynamically created configuration were not available.

Is there anything I need to do beyond this to persist the dynamically created configuration using 'dynsec'. Thanks in advance.

autosave_on_changes true
autosave_interval 5

persistence true
persistence_location /var/lib/mosquitto/
Re: Dynamic Security Plugin - persisting in-memory to config file [message #1840988 is a reply to message #1840954] Thu, 29 April 2021 17:25 Go to previous messageGo to next message
Eclipse UserFriend
When you configure the dynamic-security plugin you need to make sure you include the `plugin_opt_config_file <path to file>` option which defines where the configuration will be saved. If the file isn't writeable then maybe that is your problem.

Regards,

Roger
Re: Dynamic Security Plugin - persisting in-memory to config file [message #1840993 is a reply to message #1840988] Fri, 30 April 2021 01:02 Go to previous messageGo to next message
Eclipse UserFriend
Thanks Roger. Yes that was the issue. (Using sudo chmod 766 /path/to/dynamic-security.json now it is working).

Surprising thing is you could make out with no other information - there is actually nothing in the log too that it could not write to the file. Shouldn't this be logged into the log file configured.

~JAK
Re: Dynamic Security Plugin - persisting in-memory to config file [message #1865439 is a reply to message #1840993] Fri, 03 May 2024 08:14 Go to previous messageGo to next message
Eclipse UserFriend
Gives Error while saving to Dynamic security plugin config: saying File is not writable - check permissions. I have given mosquitto as owner and tried 0700, 0744, 0766, 0777 - everything to the dynamic security json file. Still it is not working. Using the version 2.0.18.
Similar configuration works well in 2.0.10. Detailed log below when I try "mosquitto_ctrl dynsec setDefaultACLAccess publishClientSend deny"

I virtually ran out of all possible options. Now I am thinking of using older mosquitto version to try this. Any pointers would be great - TIA.

Quote:

2024-05-03T16:42:53: mosquitto version 2.0.18 starting
2024-05-03T16:42:53: Config loaded from /etc/mosquitto/mosquitto.conf.
2024-05-03T16:42:53: Loading plugin: /usr/lib/x86_64-linux-gnu/mosquitto_dynamic_security.so
2024-05-03T16:42:53: Opening ipv4 listen socket on port 7883.
2024-05-03T16:42:53: mosquitto version 2.0.18 running
2024-05-03T16:42:59: New connection from 10.x.x.236:42992 on port 7883.
2024-05-03T16:42:59: New client connected from 10.x.x.236:42992 as auto-ED29EA8A-20AC-1B32-7AF8-A2F135EFC919 (p5, c1, k60, u'admin').
2024-05-03T16:42:59: dynsec: auto-ED29EA8A-20AC-1B32-7AF8-A2F135EFC919/admin | setDefaultACLAccess | acltype=publishClientSend | allow=false
2024-05-03T16:42:59: Error saving Dynamic security plugin config: File is not writable - check permissions.

2024-05-03T16:42:59: Client auto-ED29EA8A-20AC-1B32-7AF8-A2F135EFC919 closed its connection.

[Updated on: Fri, 03 May 2024 08:15] by Moderator

Re: Dynamic Security Plugin - persisting in-memory to config file [message #1865442 is a reply to message #1865439] Fri, 03 May 2024 08:17 Go to previous messageGo to next message
Eclipse UserFriend
Quote:

$ ls -l /etc/mosquitto/dynamic-security.json
-rwxrwxrwx 1 mosquitto mosquitto 1245 May 3 16:12 /etc/mosquitto/dynamic-security.json

$ cat /etc/mosquitto/mosquitto.conf | grep dynamic
plugin /usr/lib/x86_64-linux-gnu/mosquitto_dynamic_security.so
plugin_opt_config_file /etc/mosquitto/dynamic-security.json

[Updated on: Fri, 03 May 2024 08:17] by Moderator

Re: Dynamic Security Plugin - persisting in-memory to config file [message #1865481 is a reply to message #1865442] Sat, 04 May 2024 02:46 Go to previous message
Eclipse UserFriend
I looked at the source file to debug under /plugins/dynamic-security/plugin.c. Noticed the below code - added a copy dynamic-security.json.new and also dynamic-security.json and with 755 permission to the /etc/mosquitto folder the server starts without complaining and is able to write security config to dynamic-security.json. It modifies the permission of this file to 0600 and deletes the .new file. Very weird that these undocumented behavior.

so /etc/mosquitto to have 0755
and add a duplicate dynamic-security.json.new file with 0600 before adding any new configuration.

Quote:

snprintf(file_path, file_path_len, "%s.new", config_file);
mosquitto_log_printf(MOSQ_LOG_ERR,"file_path %s file_path_len %d config_file %s \n", file_path,file_path_len,config_file);
fptr = mosquitto__fopen(file_path, "wt", true);
if(fptr == NULL){
mosquitto_free(json_str);
mosquitto_free(file_path);
mosquitto_log_printf(MOSQ_LOG_ERR, "Error saving Dynamic security plugin config: File is not writable - check permissions.\n");
return;
}



Can someone confirm this behavior is expected?
Previous Topic:No CRL check happening when connecting via websockets
Next Topic:problem in mosquitto broker on window
Goto Forum:
  


Current Time: Fri Jul 04 06:52:34 EDT 2025

Powered by FUDForum. Page generated in 0.04618 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly