emqx 4.4.19 MySQL acl不生效

使用k8s部署的单节点配置文件如下

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: emqx-config
  namespace: emqx
data:
  emqx_auth_mysql.conf: |
    auth.mysql.server = 127.0.0.1:3306
    auth.mysql.pool = 8
    auth.mysql.username = emqx
    auth.mysql.password = 'xxx'
    auth.mysql.database = emqx_auth
    auth.mysql.auth_query = SELECT password,salt FROM mqtt_user WHERE username = '%u' limit 1
    auth.mysql.password_hash = md5,salt
    auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
    auth.mysql.acl_query = SELECT allow,ipaddr,username,clientid,access,topic FROM mqtt_acl WHERE username = '%u' or username = '$all'
  emqx_dashboard.conf: |
    dashboard.default_user.login = admin
    dashboard.default_user.password = 'xxx'
    dashboard.listener.http = 18083
    dashboard.listener.http.acceptors = 4
    dashboard.listener.http.max_clients = 51
    dashboard.listener.http.inet6 = false
    dashboard.listener.http.ipv6_v6only = false
  acl.conf: |
    {deny, all}.


---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: emqx
  labels:
   app: emqx
  namespace: emqx
spec:
  replicas: 1
  selector:
   matchLabels:
     app: emqx
  template:
    metadata:
      labels:
        app: emqx
    spec:
      containers:
      - name: emqx
        image: emqx/emqx:4.4.19
        ports:
        - name: mqtt
          containerPort: 1883
        - name: mqttssl
          containerPort: 8883
        - name: mgmt
          containerPort: 8081
        - name: ws
          containerPort: 8083
        - name: wss
          containerPort: 8084
        - name: dashboard
          containerPort: 18083
        env:
        - name: EMQX_ALLOW_ANONYMOUS
          value: 'false'
        - name: EMQX_LOADED_PLUGINS
          value: emqx_recon,emqx_retainer,emqx_management,emqx_dashboard,emqx_auth_mysql
          #value: emqx_recon,emqx_retainer,emqx_management,emqx_dashboard,emqx_auth_mysql,emqx_prometheus
        #subPath作为configmap/secret使用时,subPath代表configmap/secret的子路径
        - name: EMQX_BROKER__SHARED_SUBSCRIPTION_STRATEGY
          value: sticky
        - name: EMQX_LISTENERS__SSL__DEFAULT__VERIFY
          value: verify_none
        - name: EMQX_LISTENERS__SSL__DEFAULT__FAIL_IF_NO_PEER_CERT
          value: 'false'
        - name: EMQX_LISTENERS__SSL__EXTERNAL__VERIFY
          value: verify_none
        - name: EMQX_LISTENERS__SSL__EXTERNAL__FAIL_IF_NO_PEER_CERT
          value: 'false'
        - name: EMQX_LOG__LEVEL
          value: debug
        volumeMounts:
          - mountPath: /opt/emqx/etc/plugins/emqx_auth_mysql.conf
            name: emqx-config-volume
            subPath: emqx_auth_mysql.conf
          - mountPath: /opt/emqx/etc/plugins/emqx_dashboard.conf
            name: emqx-config-volume
            subPath: emqx_dashboard.conf
          - mountPath: /opt/emqx/etc/acl.conf
            name: emqx-config-volume
            subPath: acl.conf
      volumes:
      - name: emqx-config-volume
        configMap:
          name: emqx-config

数据库数据如下：

图片873×79 2.93 KB

用此方式部署后可以正常连接MySQL登录，但是mqtt_acl表中的规则不生效，MySQL中demo用户任然可以登录，但是无法订阅topic，估计是acl.conf中的规则起了作用，在dashboard中禁用emqx_mod_acl_internal模块也没用，MySQL中mqtt_acl策略都不生效

开启 debug，来点日志看看

container.zip (3.0 KB)
开启了debug日志，尝试了demo用户登录和其他用户登录以及订阅topic

mqttx客户端和mosquitto_sub 客户端的结果并不相同，demo用户的allow设置为0，mosquitto_sub客户端无法成功登录，而mqttx客户端能够能成功登录

acl_query语句错了，实际为
auth.mysql.acl_query = SELECT allow,ipaddr,username,clientid,access,topic FROM mqtt_acl WHERE username = ‘%u’ or username = ‘$all’ ORDER BY id ASC LIMIT 1

已解决，acl是针对于订阅或发布topic的权限，而不是针对用户是否可登录，mqttx工具只要连接时只要能通过auth_query认证sql就可以成功连接，但是订阅topic时如果acl表中没有对应的规则，就会走到内置的acl.conf中，所以还需要修改acl.conf中的规则，或者禁用emqx_mod_acl_internal模块