🎄 Happy Holidays! 🥳
Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.
Happy Holidays!
Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.
How to control client publish and subscription
Hi all,
I would like to ask how to limit the client on Solace message broker publishing and subscribing topics or queues.
For example I have a sender_001
, he can only send out topic hello/python/>
and I have a receiver_001
, who can only listen to topic hello/python/>
and queue hello_q
.
I see that there is a page on the portal `Messaging ~~> VPN ~~> Access Control` . From there I see `Client profile` `ACL profile` `Client username` . I would like to ask how can I config this setup so that I can login the broker from my python client and limited the access correctly.
I see there is a username
and password
in the hello_world_pubsub.py
example. I guess that is related to this setting? I would like to ask how to config and use them.
I am trying to add ACL profile also, but I am not sure how to link it back so that my python client can login and apply the ACL profile
Thanks
Comments
-
Hey @sulfred - a couple of important points that I should highlight here:
We'll have to differentiate between Messaging and Management APIs when interacting with Solace. The messaging API (like the Solace PubSub+ Messaging API for Python the one you are using) is only to be used for messaging related activities such as publishing or subscribing in your case.
For use-cases relating to management activities, this is where you can leverage the SEMP API to configure broker management such as ACL Profiles. Note that when you run the
hello_world_pubsub.py
sample, since you are using the messaging API, the username/password is the client profile user name password and NOT the SEMP (management) username/password.I highlighted more details on the differences over here https://solace.community/discussion/comment/4503#Comment_4503
Now to answer your question, after you've created a
hello_acl
profile, you will have to create a username that belongs to the profile that you just created, and make sure you assign a password for it as well as follows.Make sure when you create your new username to
- Enable it
- Change the password
- Assign it to your newly created ACL profile
And then you can use this username/password to connect to your message vpn on your broker. If you attempt to publish on or subscribe to topics outside your ACL limitations, the API will raise an exception.
Hopefully this helps!
1 -
A couple extra things:
- when creating a new ACL Profile, everything is locked down by default... that is, everything is set to "disallow" and no exceptions
- Typically you probably want the Connect ACLs set to "allow" instead, unless you want to write very specific IP address ranges where your app can connect from
- Leave the Publish and Subscribe ACL default behaviour as "disallow" and then add subscriptions exactly like you need
- Once you're done making your ACL Profile, you can point any number of client-usernames to it.. there's a 1..n relationship there.
HTH
1 -
One follow up question.
I am using config like this
broker_props = { "solace.messaging.transport.host": os.environ.get('SOLACE_HOST') or "tcp://localhost:20061,tcp://localhost:55555,tcp://localhost:55554", "solace.messaging.service.vpn-name": os.environ.get('SOLACE_VPN') or "default", "solace.messaging.authentication.scheme.basic.username": "hello_client", "solace.messaging.authentication.scheme.basic.password": "hello_cl_" }
I find that even if the password is not correct, I can still login as that user and use the related ACL. Am I missing some setup?
Thanks
0 -
hm yeah you should not be able to connect to the broker if the password is wrong. I get the following error when the password is wrong.
raise AuthenticationError(message=f'{BAD_CREDENTIALS} {core_exception_msg}') solace.messaging.errors.pubsubplus_client_error.AuthenticationError: The username or password is incorrect {'caller_description': 'do_connect', 'return_code': 'Not ready', 'sub_code': 'SOLCLIENT_SUBCODE_LOGIN_FAILURE', 'error_info_sub_code': 19, 'error_info_contents': 'Unauthorized'}
What version of the Python API are you using?
0 -
The default configuration on the software broker when you download it is "wide open". That is: there's no authentication enabled on the
default
Message VPN. So any password will work. And using thedefault
username means you can actually login with any username you want. If you provide a client-username that doesn't exist, the broker will fall-back to thedefault
client-username.So:
- change the VPN's authentication to
Internal
- create a new client-username of your choice
- disable the
default
client-username
2 - change the VPN's authentication to
-
Thanks, I am following this page: https://docs.solace.com/Configuring-and-Managing/Configuring-Client-Authentication.htm#Basic
I am using cli by this:
docker exec -it solace /usr/sw/loads/currentload/bin/cli -A
then I run command and get this error:
$ auth-type internal Invalid command input auth-type internal ^ -> unknown command, or command not available in current mode
I would like to ask how to set
internal
for the VPN ? I am using the default VPN, and I don't see the related config on the web portal.python api : solace-pubsubplus==1.2.1
solace version: Solace PubSub+ Standard Version 9.12.1.17 (in docker container)
Thanks
0