使用mongodb作为外部authz的数据源时的filter定义问题

zhongwencool · 2024 年12 月 30 日 09:51

看了下代码，应该是"$sort" => “$orderby” 这样…

emqx/mongodb-erlang/blob/b29b496484fe2f5604e699131a96f957d55ede92/src/api/mongoc.erl#L158


      
            #{<<"$query">> => Selector, <<"$readPreference">> => RP}.
          
          
          extract_read_preference(#{<<"$readPreference">> := RP} = Selector) ->
              {RP,
               maps:get(<<"$query">>, Selector, #{}),
               maps:get(<<"$orderby">>, Selector, #{})};
          extract_read_preference(Selector) when is_map(Selector) ->
              {#{<<"mode">> => <<"primary">>},
               maps:get(<<"$query">>, Selector, Selector),
               maps:get(<<"$orderby">>, Selector, #{})};%TODO also extract orderby and what else might be inside (strange but needed to pass test)
          extract_read_preference(Selector) when is_tuple(Selector) ->
            Fields = bson:fields(Selector),
            Query = case lists:keyfind(<<"$query">>, 1, Fields) of
                        {_, Q} -> Q;
                        false -> Selector
                    end,
            OrderBy = case lists:keyfind(<<"$orderby">>, 1, Fields) of
                        {_, OB} -> OB;
                        false -> #{}
                    end,

我没环境测，你试试看

caddy · 2024 年12 月 30 日 10:05

emqx起来了，我106行的配置是：

           filter {"$or":[{"username":"${username}"},{"clientid":"${clientid}"},{"ipaddress":"${peerhost}"}],"$orderby":{"auditing.last_modified_date":-1}}

实际上，filter内部是erlang的map，并不和mongodb的findone语法完全一致，然后还对一些关键字做了数据源无关的统一化。
具体这样的filter有没有效果我测试完后再来回复

caddy · 2024 年12 月 31 日 03:23

按照这样的配置：

    filter {
        "$or":[{"username":"${username}"},{"clientid":"${clientid}"},{"ipaddress":"${peerhost}"}],
        "$orderby":{"auditing.last_modified_date":-1}
    }

emqx服务是起来了，然后跟踪日志发现当客户端连上来之后其实后台报错了，类似：

2024-12-31T03:18:07.828654+00:00 [error] clientid: mqttx_47d16f04_1735615086000, msg: query_mongo_error, peername: 192.168.9.170:42350, username: vpp, reason: {resource_error,#{reason => exception,msg => #{error => {error,{error_cannot_parse_response,{op_msg_response,#{<<"$clusterTime">> => #{<<"clusterTime">> => {mongostamp,1,1735615081},<<"signature">> => #{<<"hash">> => {bin,bin,<<132,201,57,208,35,14,247,33,13,245,218,186,167,63,218,212,138,107,108,57>>},<<"keyId">> => 7418769586738167810}},<<"code">> => 2,<<"codeName">> => <<"BadValue">>,<<"errmsg">> => <<"unknown top level operator: $orderby. If you have a field name that starts with a '$' symbol, consider using $getField or $setField.">>,<<"ok">> => 0.0,<<"operationTime">> => {mongostamp,1,1735615081}}}}},id => <<"emqx_authz_mongodb:1">>,name => call_query,request => {find,<<"mqtt_acl">>,#{'$or' => [#{username => <<"vpp">>},#{clientid => <<"mqttx_47d16f04_1735615086000">>},#{ipaddress => <<"192.168.9.170">>}],'$orderby' => #{'auditing.last_modified_date' => -1}},#{}},stacktrace => [{mc_connection_man,reply,1,[{file,"mc_connection_man.erl"},{line,123}]},{mc_connection_man,read,4,[{file,"mc_connection_man.erl"},{line,34}]},{mc_worker_api,find,2,[{file,"mc_worker_api.erl"},{line,288}]},{poolboy,transaction,3,[{file,"poolboy.erl"},{line,90}]},{emqx_mongodb,on_query,3,[{file,"emqx_mongodb.erl"},{line,277}]},{emqx_resource_buffer_worker,apply_query_fun,9,[{file,"emqx_resource_buffer_worker.erl"},{line,1411}]},{emqx_resource_buffer_worker,call_query2,8,[{file,"emqx_resource_buffer_worker.erl"},{line,1249}]},{emqx_resource_buffer_worker,simple_sync_query,3,[{file,"emqx_resource_buffer_worker.erl"},{line,169}]},{emqx_authz_mongodb,authorize_with_filter,5,[{file,"emqx_authz_mongodb.erl"},{line,90}]},{emqx_authz,do_authorize,4,[{file,"emqx_authz.erl"},{line,531}]},{emqx_authz,authorize_non_superuser,4,[{file,"emqx_authz.erl"},{line,496}]},{emqx_hooks,safe_execute,2,[{file,"emqx_hooks.erl"},{line,205}]},{emqx_hooks,do_run_fold,3,[{file,"emqx_hooks.erl"},{line,185}]},{emqx_access_control,do_authorize,3,[{file,"emqx_access_control.erl"},{line,224}]},{emqx_access_control,check_authorization_cache,3,[{file,"emqx_access_control.erl"},{line,139}]},{emqx_access_control,authorize,3,[{file,"emqx_access_control.erl"},{line,106}]},{emqx_channel,do_check_sub_authzs2,3,[{file,"emqx_channel.erl"},{line,2434}]},{emqx_channel,do_check_sub_authzs,2,[{file,"emqx_channel.erl"},{line,2398}]},{emqx_utils,pipeline,3,[{file,"emqx_utils.erl"},{line,200}]},{emqx_channel,process_subscribe,2,[{file,"emqx_channel.erl"},{line,890}]},{emqx_connection,with_channel,3,[{file,"emqx_connection.erl"},{line,844}]},{emqx_connection,process_msg,2,[{file,"emqx_connection.erl"},{line,491}]},{emqx_connection,handle_recv,3,[{file,"emqx_connection.erl"},{line,442}]}]}}}, filter: #{'$or' => [#{username => <<"vpp">>},#{clientid => <<"mqttx_47d16f04_1735615086000">>},#{ipaddress => <<"192.168.9.170">>}],'$orderby' => #{'auditing.last_modified_date' => -1}}, resource_id: <<"emqx_authz_mongodb:1">>, collection: <<"mqtt_acl">>

caddy · 2025 年1 月 2 日 06:09

请问下，这个有结论吗，看报错是不支持这样的写法？

zhongwencool · 2025 年1 月 2 日 07:10

应该是当前版本没考虑到这个需求。。。得加。你可以到 github 上提个需求，看看怎么安排。。