How to control client publish and subscription

sulfred · April 2022

Hi all,

I would like to ask how to limit the client on Solace message broker publishing and subscribing topics or queues.

For example I have a sender_001, he can only send out topic hello/python/> and I have a receiver_001 , who can only listen to topic hello/python/> and queue hello_q .

I see that there is a page on the portal `Messaging ~~> VPN ~~> Access Control` . From there I see `Client profile` `ACL profile` `Client username` . I would like to ask how can I config this setup so that I can login the broker from my python client and limited the access correctly.

I see there is a username and password in the hello_world_pubsub.py example. I guess that is related to this setting? I would like to ask how to config and use them.

I am trying to add ACL profile also, but I am not sure how to link it back so that my python client can login and apply the ACL profile

Thanks

Tamimi · April 2022

Hey @sulfred - a couple of important points that I should highlight here:

We'll have to differentiate between Messaging and Management APIs when interacting with Solace. The messaging API (like the Solace PubSub+ Messaging API for Python the one you are using) is only to be used for messaging related activities such as publishing or subscribing in your case.

For use-cases relating to management activities, this is where you can leverage the SEMP API to configure broker management such as ACL Profiles. Note that when you run the hello_world_pubsub.py sample, since you are using the messaging API, the username/password is the client profile user name password and NOT the SEMP (management) username/password.

I highlighted more details on the differences over here https://solace.community/discussion/comment/4503#Comment_4503

Now to answer your question, after you've created a hello_acl profile, you will have to create a username that belongs to the profile that you just created, and make sure you assign a password for it as well as follows.

Screen Shot 2022-04-18 at 11.52.19 AM.png

Screen Shot 2022-04-18 at 11.52.33 AM.png

Make sure when you create your new username to

Enable it
Change the password
Assign it to your newly created ACL profile

And then you can use this username/password to connect to your message vpn on your broker. If you attempt to publish on or subscribe to topics outside your ACL limitations, the API will raise an exception.

Hopefully this helps!

Aaron · April 2022

A couple extra things:

when creating a new ACL Profile, everything is locked down by default... that is, everything is set to "disallow" and no exceptions
Typically you probably want the Connect ACLs set to "allow" instead, unless you want to write very specific IP address ranges where your app can connect from
Leave the Publish and Subscribe ACL default behaviour as "disallow" and then add subscriptions exactly like you need
Once you're done making your ACL Profile, you can point any number of client-usernames to it.. there's a 1..n relationship there.

HTH

sulfred · April 2022

Thanks. It works. I can control the publish and subscription now.

sulfred · April 2022

One follow up question.

I am using config like this

broker_props = {
    "solace.messaging.transport.host": os.environ.get('SOLACE_HOST') or "tcp://localhost:20061,tcp://localhost:55555,tcp://localhost:55554",
    "solace.messaging.service.vpn-name": os.environ.get('SOLACE_VPN') or "default",
    "solace.messaging.authentication.scheme.basic.username": "hello_client",
    "solace.messaging.authentication.scheme.basic.password": "hello_cl_"
}

I find that even if the password is not correct, I can still login as that user and use the related ACL. Am I missing some setup?

Thanks

Tamimi · April 2022

hm yeah you should not be able to connect to the broker if the password is wrong. I get the following error when the password is wrong.

    raise AuthenticationError(message=f'{BAD_CREDENTIALS} {core_exception_msg}')
solace.messaging.errors.pubsubplus_client_error.AuthenticationError: The username or password is incorrect {'caller_description': 'do_connect', 'return_code': 'Not ready', 'sub_code': 'SOLCLIENT_SUBCODE_LOGIN_FAILURE', 'error_info_sub_code': 19, 'error_info_contents': 'Unauthorized'}

What version of the Python API are you using?

Aaron · April 2022

The default configuration on the software broker when you download it is "wide open". That is: there's no authentication enabled on the default Message VPN. So any password will work. And using the default username means you can actually login with any username you want. If you provide a client-username that doesn't exist, the broker will fall-back to the default client-username.

So:

change the VPN's authentication to Internal
create a new client-username of your choice
disable the default client-username

sulfred · April 2022

Thanks, I am following this page: https://docs.solace.com/Configuring-and-Managing/Configuring-Client-Authentication.htm#Basic

I am using cli by this:

docker exec -it solace /usr/sw/loads/currentload/bin/cli -A

then I run command and get this error:

$ auth-type internal

 Invalid command input
    auth-type internal
    ^
     -> unknown command, or command not available in current mode

I would like to ask how to set internal for the VPN ? I am using the default VPN, and I don't see the related config on the web portal.

python api : solace-pubsubplus==1.2.1

solace version: Solace PubSub+ Standard Version 9.12.1.17 (in docker container)

Thanks

How to control client publish and subscription

Comments

Categories

This Month's Leaders

This Week's Leaders