How to control client publish and subscription

sulfred
sulfred Member Posts: 20

Hi all,


I would like to ask how to limit the client on Solace message broker publishing and subscribing topics or queues.

For example I have a sender_001, he can only send out topic hello/python/> and I have a receiver_001 , who can only listen to topic hello/python/> and queue hello_q .


I see that there is a page on the portal `Messaging ~~> VPN ~~> Access Control` . From there I see `Client profile` `ACL profile` `Client username` . I would like to ask how can I config this setup so that I can login the broker from my python client and limited the access correctly.

I see there is a username and password in the hello_world_pubsub.py example. I guess that is related to this setting? I would like to ask how to config and use them.

I am trying to add ACL profile also, but I am not sure how to link it back so that my python client can login and apply the ACL profile


Thanks

Tagged:

Comments

  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 489 admin

    Hey @sulfred - a couple of important points that I should highlight here:

    We'll have to differentiate between Messaging and Management APIs when interacting with Solace. The messaging API (like the Solace PubSub+ Messaging API for Python the one you are using) is only to be used for messaging related activities such as publishing or subscribing in your case.

    For use-cases relating to management activities, this is where you can leverage the SEMP API to configure broker management such as ACL Profiles. Note that when you run the hello_world_pubsub.py sample, since you are using the messaging API, the username/password is the client profile user name password and NOT the SEMP (management) username/password.

    I highlighted more details on the differences over here https://solace.community/discussion/comment/4503#Comment_4503

    Now to answer your question, after you've created a hello_acl profile, you will have to create a username that belongs to the profile that you just created, and make sure you assign a password for it as well as follows.

    Make sure when you create your new username to

    1. Enable it
    2. Change the password
    3. Assign it to your newly created ACL profile

    And then you can use this username/password to connect to your message vpn on your broker. If you attempt to publish on or subscribe to topics outside your ACL limitations, the API will raise an exception.

    Hopefully this helps!

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 497 admin

    A couple extra things:

    • when creating a new ACL Profile, everything is locked down by default... that is, everything is set to "disallow" and no exceptions
    • Typically you probably want the Connect ACLs set to "allow" instead, unless you want to write very specific IP address ranges where your app can connect from
    • Leave the Publish and Subscribe ACL default behaviour as "disallow" and then add subscriptions exactly like you need
    • Once you're done making your ACL Profile, you can point any number of client-usernames to it.. there's a 1..n relationship there.

    HTH

  • sulfred
    sulfred Member Posts: 20

    Thanks. It works. I can control the publish and subscription now.

  • sulfred
    sulfred Member Posts: 20

    One follow up question.

    I am using config like this

    broker_props = {
        "solace.messaging.transport.host": os.environ.get('SOLACE_HOST') or "tcp://localhost:20061,tcp://localhost:55555,tcp://localhost:55554",
        "solace.messaging.service.vpn-name": os.environ.get('SOLACE_VPN') or "default",
        "solace.messaging.authentication.scheme.basic.username": "hello_client",
        "solace.messaging.authentication.scheme.basic.password": "hello_cl_"
    }
    

    I find that even if the password is not correct, I can still login as that user and use the related ACL. Am I missing some setup?


    Thanks

  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 489 admin

    hm yeah you should not be able to connect to the broker if the password is wrong. I get the following error when the password is wrong.

        raise AuthenticationError(message=f'{BAD_CREDENTIALS} {core_exception_msg}')
    solace.messaging.errors.pubsubplus_client_error.AuthenticationError: The username or password is incorrect {'caller_description': 'do_connect', 'return_code': 'Not ready', 'sub_code': 'SOLCLIENT_SUBCODE_LOGIN_FAILURE', 'error_info_sub_code': 19, 'error_info_contents': 'Unauthorized'}
    

    What version of the Python API are you using?

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 497 admin

    The default configuration on the software broker when you download it is "wide open". That is: there's no authentication enabled on the default Message VPN. So any password will work. And using the default username means you can actually login with any username you want. If you provide a client-username that doesn't exist, the broker will fall-back to the default client-username.

    So:

    • change the VPN's authentication to Internal
    • create a new client-username of your choice
    • disable the default client-username
  • sulfred
    sulfred Member Posts: 20

    Thanks, I am following this page: https://docs.solace.com/Configuring-and-Managing/Configuring-Client-Authentication.htm#Basic


    I am using cli by this:

    docker exec -it solace /usr/sw/loads/currentload/bin/cli -A
    

    then I run command and get this error:

    $ auth-type internal
    
     Invalid command input
        auth-type internal
        ^
         -> unknown command, or command not available in current mode
    

    I would like to ask how to set internal for the VPN ? I am using the default VPN, and I don't see the related config on the web portal.

    python api : solace-pubsubplus==1.2.1

    solace version: Solace PubSub+ Standard Version 9.12.1.17 (in docker container)


    Thanks