Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: deny subscribing to +/# by default ACL #13024

Merged
merged 1 commit into from
May 14, 2024
Merged

fix: deny subscribing to +/# by default ACL #13024

merged 1 commit into from
May 14, 2024

Conversation

zmstone
Copy link
Member

@zmstone zmstone commented May 13, 2024
edited
Loading

Fixes: https://emqx.atlassian.net/browse/EMQX-12362
Release version: v/e5.8.0

Summary

Prior to this change, EMQX default ACL has a deny rule to reject subscribing to #.
For completeness, the default ACL should also deny +/# because they are essentially equivalent.

The eunit tests do not seem to cover default ACL rules, automation will be covered in QA env, here is a manual test result:

mqttx sub -t '+/#' -h 192.168.31.216 -p 1883
[5/13/2024] [9:34:54 AM] › …  Connecting...
[5/13/2024] [9:34:54 AM] › ✔  Connected
[5/13/2024] [9:34:54 AM] › …  Subscribing to +/#...
[5/13/2024] [9:34:54 AM] › ✔  Subscribed to +/#
[5/13/2024] [9:34:54 AM] › ✖  Subscription negated to +/# with code 135

PR Checklist

Please convert it to a draft if any of the following conditions are not met. Reviewers may skip over until all the items are checked:

  • Added tests for the changes
  • Added property-based tests for code which performs user input validation
  • Changed lines covered in coverage report
  • Change log has been added to changes/(ce|ee)/(feat|perf|fix|breaking)-<PR-id>.en.md files
  • For internal contributor: there is a jira ticket to track this change
  • Created PR to emqx-docs if documentation update is required, or link to a follow-up jira ticket docs: improve default authz emqx-docs#2449
  • Schema changes are backward compatible

Checklist for CI (.github/workflows) changes

  • If changed package build workflow, pass this action (manual trigger)
  • Change log has been added to changes/ dir for user-facing artifacts update

@zmstone zmstone requested review from JimMoen and a team as code owners May 13, 2024 07:23
@zmstone
fix: deny subscribing to +/# by default ACL
290ebe2 
Prior to this change, EMQX default ACL has a deny rule to reject
subscribing to `#`.
For completeness, the default ACL should also deny `+/#` because
they are essentially equivalent.
@zmstone zmstone force-pushed the 0513-deny-plush-hash-by-default-ACL branch from a72d582 to 290ebe2 Compare May 13, 2024 07:26
@zmstone zmstone merged commit 34bf291 into emqx:master May 14, 2024
171 checks passed
@zmstone zmstone deleted the 0513-deny-plush-hash-by-default-ACL branch May 14, 2024 07:43
@emqxqa
Copy link

emqxqa commented Jun 14, 2024

TestExecution

@BrewTestBot BrewTestBot mentioned this pull request Aug 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ieQu1 ieQu1 ieQu1 approved these changes

@HJianBo HJianBo HJianBo approved these changes

@JimMoen JimMoen Awaiting requested review from JimMoen JimMoen is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zmstone @emqxqa @HJianBo @ieQu1