Merge pull request #8162 from terry-xiaoyu/deny_sub_wildcard_topic_acl_conf

fix: deny all subscribes to '#' topics in the default acl.conf

.ci/docker-compose-file/scripts/run-emqx.sh

@@ -22,6 +22,8 @@ esac
   echo "HOCON_ENV_OVERRIDE_PREFIX=EMQX_"
   echo "EMQX_ZONES__DEFAULT__MQTT__RETRY_INTERVAL=2s"
   echo "EMQX_ZONES__DEFAULT__MQTT__MAX_TOPIC_ALIAS=10"
+  echo "EMQX_AUTHORIZATION__SOURCES=[]"
+  echo "EMQX_AUTHORIZATION__NO_MATCH=allow"
 } >> .ci/docker-compose-file/conf.cluster.env
 
 is_node_up() {

.github/workflows/run_fvt_tests.yaml

@@ -186,6 +186,8 @@ jobs:
             --set image.pullPolicy=Never \
             --set emqxConfig.EMQX_ZONES__DEFAULT__MQTT__RETRY_INTERVAL=2s \
             --set emqxConfig.EMQX_ZONES__DEFAULT__MQTT__MAX_TOPIC_ALIAS=10 \
+            --set emqxConfig.EMQX_AUTHORIZATION__SOURCES=[] \
+            --set emqxConfig.EMQX_AUTHORIZATION__NO_MATCH=allow \
             deploy/charts/emqx \
             --debug
 

apps/emqx_authz/etc/acl.conf

@@ -26,3 +26,7 @@
 {allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}.
 
 {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.
+
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+
+{allow, all}.

apps/emqx_authz/src/emqx_authz.erl

@@ -329,7 +329,7 @@ authorize(
                 'client.check_authz_complete',
                 [Client, PubSub, Topic, deny, AuthzSource]
             ),
-            ?SLOG(info, #{
+            ?SLOG(warning, #{
                 msg => "authorization_permission_denied",
                 username => Username,
                 ipaddr => IpAddress,

apps/emqx_conf/i18n/emqx_conf_schema.conf

@@ -940,7 +940,7 @@ until the RPC connection is considered lost."""
 
   log_file_handlers {
     desc {
-      en: """file-based log handlers."""
+      en: """File-based log handlers."""
       zh: """输出到文件的日志处理进程列表"""
     }
     label {