From 377127ce72ff1b3f86ba5d64145dc49f07a6145e Mon Sep 17 00:00:00 2001 From: JianBo He Date: Mon, 20 Mar 2023 13:53:57 +0800 Subject: [PATCH 1/5] fix(acl): fix wrong default ACL rules --- apps/emqx_authz/etc/acl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/emqx_authz/etc/acl.conf b/apps/emqx_authz/etc/acl.conf index d39490d46..32a693ab8 100644 --- a/apps/emqx_authz/etc/acl.conf +++ b/apps/emqx_authz/etc/acl.conf @@ -23,7 +23,7 @@ %% -type(rule() :: {permission(), who(), access(), topics()} | {permission(), all}). %%-------------------------------------------------------------------- -{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. +{allow, {username, {re, "^dashboard?"}}, subscribe, ["$SYS/#"]}. {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}. From 5b9867dc13cac1d917e1b4a47df17c36cf90674c Mon Sep 17 00:00:00 2001 From: JianBo He Date: Mon, 20 Mar 2023 14:01:05 +0800 Subject: [PATCH 2/5] chore: add changes --- changes/ce/fix-10172.en.md | 9 +++++++++ changes/ce/fix-10172.zh.md | 8 ++++++++ 2 files changed, 17 insertions(+) create mode 100644 changes/ce/fix-10172.en.md create mode 100644 changes/ce/fix-10172.zh.md diff --git a/changes/ce/fix-10172.en.md b/changes/ce/fix-10172.en.md new file mode 100644 index 000000000..14757e44d --- /dev/null +++ b/changes/ce/fix-10172.en.md @@ -0,0 +1,9 @@ +Fix the incorrect default ACL rule, which was: +``` +{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. +``` + +However, it should use `{re, "^dashboard?"}` to perform a regular expression match: +``` +{allow, {username, {re,"^dashboard?"}}, subscribe ,["$SYS/#"]}. +``` diff --git a/changes/ce/fix-10172.zh.md b/changes/ce/fix-10172.zh.md new file mode 100644 index 000000000..b4a405c4c --- /dev/null +++ b/changes/ce/fix-10172.zh.md @@ -0,0 +1,8 @@ +修复错误的默认 ACL 规则,之前是: +``` +{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. +``` +但执行正则表达式的匹配应该使用 `{re, "^dashboard?”}`: +``` +{allow, {username, {re, "^dashboard?"}}, subscribe, ["$SYS/#"]}. +``` From b059bad08aca12315a6ebeb3149f27114b111e8a Mon Sep 17 00:00:00 2001 From: JianBo He Date: Tue, 21 Mar 2023 09:06:46 +0800 Subject: [PATCH 3/5] chore(acl): fully match `dashboard` username Co-authored-by: Ilya Averyanov --- apps/emqx_authz/etc/acl.conf | 2 +- changes/ce/fix-10172.en.md | 4 ++-- changes/ce/fix-10172.zh.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/emqx_authz/etc/acl.conf b/apps/emqx_authz/etc/acl.conf index 32a693ab8..a64287a4a 100644 --- a/apps/emqx_authz/etc/acl.conf +++ b/apps/emqx_authz/etc/acl.conf @@ -23,7 +23,7 @@ %% -type(rule() :: {permission(), who(), access(), topics()} | {permission(), all}). %%-------------------------------------------------------------------- -{allow, {username, {re, "^dashboard?"}}, subscribe, ["$SYS/#"]}. +{allow, {username, {re, "^dashboard$"}}, subscribe, ["$SYS/#"]}. {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}. diff --git a/changes/ce/fix-10172.en.md b/changes/ce/fix-10172.en.md index 14757e44d..821bfbfe0 100644 --- a/changes/ce/fix-10172.en.md +++ b/changes/ce/fix-10172.en.md @@ -1,9 +1,9 @@ Fix the incorrect default ACL rule, which was: ``` -{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. +{allow, {username, "^dashboard$"}, subscribe, ["$SYS/#"]}. ``` -However, it should use `{re, "^dashboard?"}` to perform a regular expression match: +However, it should use `{re, "^dashboard$"}` to perform a regular expression match: ``` {allow, {username, {re,"^dashboard?"}}, subscribe ,["$SYS/#"]}. ``` diff --git a/changes/ce/fix-10172.zh.md b/changes/ce/fix-10172.zh.md index b4a405c4c..1111c7613 100644 --- a/changes/ce/fix-10172.zh.md +++ b/changes/ce/fix-10172.zh.md @@ -1,6 +1,6 @@ 修复错误的默认 ACL 规则,之前是: ``` -{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. +{allow, {username, "^dashboard$"}, subscribe, ["$SYS/#"]}. ``` 但执行正则表达式的匹配应该使用 `{re, "^dashboard?”}`: ``` From 84636a35752adeabead6308b4a0fe347b1b414ea Mon Sep 17 00:00:00 2001 From: JianBo He Date: Tue, 21 Mar 2023 09:10:20 +0800 Subject: [PATCH 4/5] chore: improve changes --- changes/ce/fix-10172.en.md | 4 ++-- changes/ce/fix-10172.zh.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/changes/ce/fix-10172.en.md b/changes/ce/fix-10172.en.md index 821bfbfe0..8a0c5c96e 100644 --- a/changes/ce/fix-10172.en.md +++ b/changes/ce/fix-10172.en.md @@ -1,9 +1,9 @@ Fix the incorrect default ACL rule, which was: ``` -{allow, {username, "^dashboard$"}, subscribe, ["$SYS/#"]}. +{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. ``` However, it should use `{re, "^dashboard$"}` to perform a regular expression match: ``` -{allow, {username, {re,"^dashboard?"}}, subscribe ,["$SYS/#"]}. +{allow, {username, {re,"^dashboard$"}}, subscribe ,["$SYS/#"]}. ``` diff --git a/changes/ce/fix-10172.zh.md b/changes/ce/fix-10172.zh.md index 1111c7613..bfdfab60c 100644 --- a/changes/ce/fix-10172.zh.md +++ b/changes/ce/fix-10172.zh.md @@ -1,8 +1,8 @@ 修复错误的默认 ACL 规则,之前是: ``` -{allow, {username, "^dashboard$"}, subscribe, ["$SYS/#"]}. +{allow, {username, "^dashboard?"}, subscribe, ["$SYS/#"]}. ``` -但执行正则表达式的匹配应该使用 `{re, "^dashboard?”}`: +但执行正则表达式的匹配应该使用 `{re, "^dashboard$"}`: ``` -{allow, {username, {re, "^dashboard?"}}, subscribe, ["$SYS/#"]}. +{allow, {username, {re, "^dashboard$"}}, subscribe, ["$SYS/#"]}. ``` From db97b36cd6e25ce8367ab27e80a8af931b87c917 Mon Sep 17 00:00:00 2001 From: JianBo He Date: Thu, 23 Mar 2023 11:47:12 +0800 Subject: [PATCH 5/5] chore: update changes/ce/fix-10172.en.md Co-authored-by: Andrew Mayorov --- changes/ce/fix-10172.en.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changes/ce/fix-10172.en.md b/changes/ce/fix-10172.en.md index 8a0c5c96e..d5cec50f8 100644 --- a/changes/ce/fix-10172.en.md +++ b/changes/ce/fix-10172.en.md @@ -5,5 +5,5 @@ Fix the incorrect default ACL rule, which was: However, it should use `{re, "^dashboard$"}` to perform a regular expression match: ``` -{allow, {username, {re,"^dashboard$"}}, subscribe ,["$SYS/#"]}. +{allow, {username, {re,"^dashboard$"}}, subscribe, ["$SYS/#"]}. ```