Hi team,
I am trying to set up HiveMQ locally on Windows:
CLI setup
HiveMQ Broker setup
HiveMQ rub.bat
and Security extension running
PostgreSQL
My PostgreSQL is running in Docker but I am unable to authenticate to a user in my DB successfully using the CLI.
I created DB entries just like suggested here: HiveMQ Enterprise Security Extension (ESE) Start Up Guide :: HiveMQ Documentation and created Backendservice according to this doc.
insert into public.users
(username, password, password_iterations, password_salt, algorithm)
values
('backendservice', 'wtUo2dri+ttHGHRpngg9uG21piWLiKSX7IaNSnU/BfN9pt+ZOLQByG/3JlPPQ7t/pl8S3tjR2+Um/DPBdAQULg==', 100, 'Nv6NU9XY7tvHdSGaKmNTOw==', 'SHA512'),
('frontendclient', 'ZHg/rNJel1BHOYMEvc40ekCRUE5vVLcsPF6mk9GPDcdEmX3stm50MplaqjGb8Lxhy6rNFQZSQRSbOxmFZ8ps1Q==', 100, 'JhpW27QU9WfIaG6FJT5MkQ==', 'SHA512'),
('superuser', 'nOgr9xVnkt51Lr68KS/rAKm/LqxAt8oEki7vCerRod3qDbyMFfDBGT8obnkw+AGygxCQDWdaA2sQnXXoAbVK6Q==', 100, 'wxw+3diCV4bWXQHb6LLniA==', 'SHA512');
insert into public.permissions
(id, topic, publish_allowed, subscribe_allowed, qos_0_allowed, qos_1_allowed, qos_2_allowed, retained_msgs_allowed, shared_sub_allowed, shared_group)
values
(1, 'topic/+/status', false, true, true, true, true, false, false, ''),
(2, 'topic/${mqtt-clientid}/status', true, false, true, true, true, true, false, ''),
(3, '#', true, true, true, true, true, true, true, '');
insert into public.roles
(id, name, description)
values
(1, 'backendservice', 'only allowed to subscribe to topics'),
(2, 'frontendclients', 'only allowed to publish to topics'),
(3, 'superuser', 'is allowed to do everything');
insert into public.user_roles
(user_id, role_id)
values
(1, 1),
(2, 2),
(3, 3);
insert into public.role_permissions
(role, permission)
values
(1, 1),
(2, 2),
(3, 3);
When I run this command on CLI, I get the following error:
mqtt> connect --identifier=backendservice --user=backendservice --password=wtUo2dri+ttHGHRpngg9uG21piWLiKSX7IaNSnU/BfN9pt+ZOLQByG/3JlPPQ7t/pl8S3tjR2+Um/DPBdAQULg==
Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.'
Here are the various log files:
- DEBUG log from
run.bat
023-07-13 04:54:29,824 DEBUG - mqtt-clientid ESE-Variable: backendservice
2023-07-13 04:54:29,825 DEBUG - authentication-key ESE-Variable: backendservice
2023-07-13 04:54:29,830 DEBUG - authentication-byte-secret ESE-Variable: d3RVbzJkcmkrdHRIR0hScG5nZzl1RzIxcGlXTGlLU1g3SWFOU25VL0JmTjlwdCtaT0xRQnlHLzNKbFBQUTd0L3BsOFMzdGpSMitVbS9EUEJkQVFVTGc9PQ==
2023-07-13 04:54:29,832 DEBUG - mqtt-password ESE-Variable: d3RVbzJkcmkrdHRIR0hScG5nZzl1RzIxcGlXTGlLU1g3SWFOU25VL0JmTjlwdCtaT0xRQnlHLzNKbFBQUTd0L3BsOFMzdGpSMitVbS9EUEJkQVFVTGc9PQ==
2023-07-13 04:54:34,826 DEBUG - Client 'backendservice' with ip 127.0.0.1 could not be authenticated
- Access Log
2023-07-12 23:05:59,884 UTC - authentication-failed - Client failed authentication: ID backendservice, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:10:27,234 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:12:45,501 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:20:08,904 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:20:30,720 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
- Mqtt CLI Log:
2023-07-13 04:54:29 | 11532 | DEBUG | Client 'backendservice@localhost' sending CONNECT MqttConnect{keepAlive=60, cleanStart=true, sessionExpiryInterval=0, simpleAuth=MqttSimpleAuth{username and password}}
2023-07-13 04:54:34 | 11532 | DEBUG | Client 'backendservice@localhost' DISCONNECTED CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5ConnAckException: CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.
2023-07-13 04:54:34 | 11532 | ERROR | Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.': com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5ConnAckException: CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.
at com.hivemq.client.internal.mqtt.MqttBlockingClient.connect(MqttBlockingClient.java:101)
at com.hivemq.cli.mqtt.MqttClientExecutor.mqtt5Connect(MqttClientExecutor.java:66)
at com.hivemq.cli.mqtt.AbstractMqttClientExecutor.connectMqtt5Client(AbstractMqttClientExecutor.java:311)
at com.hivemq.cli.mqtt.AbstractMqttClientExecutor.connect(AbstractMqttClientExecutor.java:128)
at com.hivemq.cli.mqtt.MqttClientExecutor.connect(MqttClientExecutor.java:53)
at com.hivemq.cli.mqtt.AbstractMqttClientExecutor.connect(AbstractMqttClientExecutor.java:112)
at com.hivemq.cli.mqtt.MqttClientExecutor.connect(MqttClientExecutor.java:53)
at com.hivemq.cli.commands.shell.ShellConnectCommand.call(ShellConnectCommand.java:58)
at com.hivemq.cli.commands.shell.ShellConnectCommand.call(ShellConnectCommand.java:31)
at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
at picocli.CommandLine.access$1500(CommandLine.java:148)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
at picocli.CommandLine.execute(CommandLine.java:2170)
at com.hivemq.cli.commands.shell.ShellCommand.interact(ShellCommand.java:145)
at com.hivemq.cli.commands.shell.ShellCommand.call(ShellCommand.java:96)
at com.hivemq.cli.commands.shell.ShellCommand.call(ShellCommand.java:46)
at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
at picocli.CommandLine.access$1500(CommandLine.java:148)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
at picocli.CommandLine.execute(CommandLine.java:2170)
at com.hivemq.cli.MqttCLIMain.main(MqttCLIMain.java:63)
- HiveMQ Broker running at
localhost:8080
, I can see the connect request reaching there.
Here is my config.xml
<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="config.xsd"
version="1">
<realms>
<!-- a postgresql db-->
<sql-realm>
<name>postgres-backend</name>
<enabled>true</enabled>
<configuration>
<db-type>POSTGRES</db-type>
<db-name>hivemq-ese-db</db-name>
<db-host>localhost</db-host>
<db-port>5432</db-port>
<db-username>postgres</db-username>
<db-password>postgres</db-password>
</configuration>
</sql-realm>
</realms>
<pipelines>
<!-- secure access to the mqtt broker -->
<listener-pipeline listener="ALL">
<authentication-preprocessors>
<logging-preprocessor>
<message>mqtt-clientid ESE-Variable: ${mqtt-clientid}</message>
<level>debug</level>
<name>com.example.logger</name>
</logging-preprocessor>
<logging-preprocessor>
<message>authentication-key ESE-Variable: ${authentication-key}</message>
<level>debug</level>
<name>com.example.logger</name>
</logging-preprocessor>
<logging-preprocessor>
<message>authentication-byte-secret ESE-Variable: ${authentication-byte-secret}</message>
<level>debug</level>
<name>com.example.logger</name>
</logging-preprocessor>
<logging-preprocessor>
<message>mqtt-password ESE-Variable: ${mqtt-password}</message>
<level>debug</level>
<name>com.example.logger</name>
</logging-preprocessor>
</authentication-preprocessors>
<!-- authenticate over a sql db -->
<sql-authentication-manager>
<realm>postgres-backend</realm>
</sql-authentication-manager>
<!-- authorize over a sql db -->
<sql-authorization-manager>
<realm>postgres-backend</realm>
<use-authorization-key>false</use-authorization-key>
<use-authorization-role-key>true</use-authorization-role-key>
</sql-authorization-manager>
</listener-pipeline>
<!-- secure access to the control center -->
</pipelines>
</enterprise-security-extension>
Please let me know what am I missing, why am I getting this error:
Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.'```