diff --git a/apps/emqx_auth_http/src/emqx_acl_http.erl b/apps/emqx_auth_http/src/emqx_acl_http.erl index 3decdbf6d..e18527179 100644 --- a/apps/emqx_auth_http/src/emqx_acl_http.erl +++ b/apps/emqx_auth_http/src/emqx_acl_http.erl @@ -44,7 +44,10 @@ check_acl(ClientInfo, PubSub, Topic, _AclResult, #{acl := ACLParams = #{path := Username = maps:get(username, ClientInfo1, undefined), case check_acl_request(ACLParams, ClientInfo1) of {ok, 200, <<"ignore">>} -> ok; - {ok, 200, _Body} -> {stop, allow}; + {ok, 200, _Body} -> + ?LOG(debug, "Allow ~s to topic ~ts, username: ~ts", + [PubSub, Topic, Username]), + {stop, allow}; {ok, Code, _Body} -> ?LOG(warning, "Deny ~s to topic ~ts, username: ~ts, http response code: ~p", [PubSub, Topic, Username, Code]), @@ -74,4 +77,3 @@ check_acl_request(ACLParams = access(subscribe) -> 1; access(publish) -> 2. - diff --git a/apps/emqx_auth_http/src/emqx_auth_http.app.src b/apps/emqx_auth_http/src/emqx_auth_http.app.src index 7f05e6c7e..a870575ce 100644 --- a/apps/emqx_auth_http/src/emqx_auth_http.app.src +++ b/apps/emqx_auth_http/src/emqx_auth_http.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_http, [{description, "EMQ X Authentication/ACL with HTTP API"}, - {vsn, "4.3.10"}, % strict semver, bump manually! + {vsn, "4.3.11"}, % strict semver, bump manually! {modules, []}, {registered, [emqx_auth_http_sup]}, {applications, [kernel,stdlib,ehttpc]}, diff --git a/apps/emqx_auth_http/src/emqx_auth_http.appup.src b/apps/emqx_auth_http/src/emqx_auth_http.appup.src index 6de6453d8..3f167d768 100644 --- a/apps/emqx_auth_http/src/emqx_auth_http.appup.src +++ b/apps/emqx_auth_http/src/emqx_auth_http.appup.src @@ -1,7 +1,13 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.3.9",[{load_module,emqx_auth_http_app,brutal_purge,soft_purge,[]}]}, + [{"4.3.10", + [{load_module,emqx_auth_http,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_http,brutal_purge,soft_purge,[]}]}, + {"4.3.9", + [{load_module,emqx_auth_http,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_http,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_http_app,brutal_purge,soft_purge,[]}]}, {"4.3.8", [{load_module,emqx_auth_http_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_http,brutal_purge,soft_purge,[]}, @@ -39,7 +45,13 @@ {load_module,emqx_auth_http_cli,brutal_purge,soft_purge,[]}]}, {<<"4.3.[0-1]">>,[{restart_application,emqx_auth_http}]}, {<<".*">>,[]}], - [{"4.3.9",[{load_module,emqx_auth_http_app,brutal_purge,soft_purge,[]}]}, + [{"4.3.10", + [{load_module,emqx_auth_http,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_http,brutal_purge,soft_purge,[]}]}, + {"4.3.9", + [{load_module,emqx_auth_http,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_http,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_http_app,brutal_purge,soft_purge,[]}]}, {"4.3.8", [{load_module,emqx_auth_http_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_http,brutal_purge,soft_purge,[]}, diff --git a/apps/emqx_auth_http/src/emqx_auth_http.erl b/apps/emqx_auth_http/src/emqx_auth_http.erl index aad08e7b6..c7710ae94 100644 --- a/apps/emqx_auth_http/src/emqx_auth_http.erl +++ b/apps/emqx_auth_http/src/emqx_auth_http.erl @@ -41,19 +41,20 @@ check(ClientInfo, AuthResult, #{auth := AuthParms = #{path := Path}, {ok, 200, <<"ignore">>} -> ok; {ok, 200, Body} -> + ?LOG(debug, "Auth succeeded from path: ~ts, username: ~ts", [Path, Username]), IsSuperuser = is_superuser(SuperParams, ClientInfo), {stop, AuthResult#{is_superuser => IsSuperuser, auth_result => success, anonymous => false, mountpoint => mountpoint(Body, ClientInfo)}}; {ok, Code, _Body} -> - ?LOG(warning, "Deny connection from path: ~s, username: ~ts, http " + ?LOG(warning, "Deny connection from path: ~ts, username: ~ts, http " "response code: ~p", [Path, Username, Code]), {stop, AuthResult#{auth_result => http_to_connack_error(Code), anonymous => false}}; {error, Error} -> - ?LOG_SENSITIVE(warning, "Deny connection from path: ~s, username: ~ts, due to " + ?LOG_SENSITIVE(warning, "Deny connection from path: ~ts, username: ~ts, due to " "request http-server failed: ~0p", [Path, Username, Error]), %%FIXME later: server_unavailable is not right. {stop, AuthResult#{auth_result => server_unavailable, diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src b/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src index 9f6ac4b9b..1407592b0 100644 --- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src +++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src @@ -1,13 +1,17 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.4.8",[{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]}, + [{"4.4.8", + [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]}, {<<"4\\.4\\.[2-7]">>, [{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]}, {<<"4\\.4\\.[0-1]">>,[{restart_application,emqx_auth_jwt}]}, {<<".*">>,[]}], - [{"4.4.8",[{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]}, + [{"4.4.8", + [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]}, {<<"4\\.4\\.[2-7]">>, [{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]}, diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl index 63a59b5ec..dd3b2dbc9 100644 --- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl +++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl @@ -51,8 +51,14 @@ check_auth(ClientInfo, AuthResult, #{from := From, checklists := Checklists}) -> {error, not_token} -> ok; {error, Reason} -> + ?LOG_SENSITIVE(debug, + "Auth from JWT failed, Client: ~p, Reason: ~p", + [ClientInfo, Reason]), {stop, AuthResult#{auth_result => Reason, anonymous => false}}; {ok, Claims} -> + ?LOG_SENSITIVE(debug, + "Auth from JWT succeeded, Client: ~p", + [ClientInfo]), {stop, maps:merge(AuthResult, verify_claims(Checklists, Claims, ClientInfo))} end end. diff --git a/apps/emqx_auth_ldap/src/emqx_acl_ldap.erl b/apps/emqx_auth_ldap/src/emqx_acl_ldap.erl index d01eace21..8faeed913 100644 --- a/apps/emqx_auth_ldap/src/emqx_acl_ldap.erl +++ b/apps/emqx_auth_ldap/src/emqx_acl_ldap.erl @@ -29,8 +29,16 @@ check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) -> case do_check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) of ok -> ok; - {stop, allow} -> {stop, allow}; - {stop, deny} -> {stop, deny} + {stop, allow} -> + ?LOG_SENSITIVE(debug, + "[LDAP] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, allow}; + {stop, deny} -> + ?LOG_SENSITIVE(debug, + "[LDAP] Deny Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, deny} end. do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) -> diff --git a/apps/emqx_auth_ldap/src/emqx_auth_ldap.app.src b/apps/emqx_auth_ldap/src/emqx_auth_ldap.app.src index 48dc39bc9..4bee1aefa 100644 --- a/apps/emqx_auth_ldap/src/emqx_auth_ldap.app.src +++ b/apps/emqx_auth_ldap/src/emqx_auth_ldap.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_ldap, [{description, "EMQ X Authentication/ACL with LDAP"}, - {vsn, "4.3.6"}, % strict semver, bump manually! + {vsn, "4.3.7"}, % strict semver, bump manually! {modules, []}, {registered, [emqx_auth_ldap_sup]}, {applications, [kernel,stdlib,eldap2,ecpool]}, diff --git a/apps/emqx_auth_ldap/src/emqx_auth_ldap.appup.src b/apps/emqx_auth_ldap/src/emqx_auth_ldap.appup.src index 632067873..01b29895f 100644 --- a/apps/emqx_auth_ldap/src/emqx_auth_ldap.appup.src +++ b/apps/emqx_auth_ldap/src/emqx_auth_ldap.appup.src @@ -1,7 +1,10 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.3.5", + [{"4.3.6", + [{load_module,emqx_acl_ldap,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_ldap,brutal_purge,soft_purge,[]}]}, + {"4.3.5", [{load_module,emqx_acl_ldap,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_ldap,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_ldap_cli,brutal_purge,soft_purge,[]}]}, @@ -21,7 +24,10 @@ {load_module,emqx_acl_ldap,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_ldap_cli,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}], - [{"4.3.5", + [{"4.3.6", + [{load_module,emqx_acl_ldap,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_ldap,brutal_purge,soft_purge,[]}]}, + {"4.3.5", [{load_module,emqx_acl_ldap,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_ldap,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_ldap_cli,brutal_purge,soft_purge,[]}]}, diff --git a/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl b/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl index 33fa91618..d1d73784d 100644 --- a/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl +++ b/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl @@ -58,6 +58,9 @@ check(ClientInfo = #{username := Username, password := Password}, AuthResult, end, case CheckResult of ok -> + ?LOG_SENSITIVE(debug, + "[LDAP] Auth from ldap succeeded, Client: ~p", + [ClientInfo]), {stop, AuthResult#{auth_result => success, anonymous => false}}; {error, not_found} -> ok; diff --git a/apps/emqx_auth_mnesia/src/emqx_acl_mnesia.erl b/apps/emqx_auth_mnesia/src/emqx_acl_mnesia.erl index 576977ec1..928dcc608 100644 --- a/apps/emqx_auth_mnesia/src/emqx_acl_mnesia.erl +++ b/apps/emqx_auth_mnesia/src/emqx_acl_mnesia.erl @@ -17,6 +17,7 @@ -module(emqx_acl_mnesia). -include("emqx_auth_mnesia.hrl"). +-include_lib("emqx/include/logger.hrl"). %% ACL Callbacks -export([ init/0 @@ -43,8 +44,14 @@ check_acl(ClientInfo = #{ clientid := Clientid }, PubSub, Topic, _NoMatchAction, case match(ClientInfo, PubSub, Topic, Acls) of allow -> + ?LOG_SENSITIVE(debug, + "[Mnesia] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), {stop, allow}; deny -> + ?LOG_SENSITIVE(debug, + "[Mnesia] Deny Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), {stop, deny}; _ -> ok diff --git a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src index 3bce055f6..c8298c146 100644 --- a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src +++ b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_mnesia, [{description, "EMQ X Authentication with Mnesia"}, - {vsn, "4.3.10"}, % strict semver, bump manually + {vsn, "4.3.11"}, % strict semver, bump manually {modules, []}, {registered, []}, {applications, [kernel,stdlib,mnesia]}, diff --git a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.appup.src b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.appup.src index 82bff332d..36e4437fd 100644 --- a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.appup.src +++ b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.appup.src @@ -1,13 +1,25 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.3.9",[{load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, - {"4.3.8",[{load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, + [{"4.3.10", + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}]}, + {"4.3.9", + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, + {"4.3.8", + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, {"4.3.7", - [{load_module,emqx_auth_mnesia_api,brutal_purge,soft_purge,[]}, + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mnesia_api,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, {<<"4\\.3\\.[5-6]">>, - [{load_module,emqx_auth_mnesia_app,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mnesia_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mnesia_api,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mnesia_db,brutal_purge,soft_purge,[]}, @@ -35,13 +47,25 @@ {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mnesia_app,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}], - [{"4.3.9",[{load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, - {"4.3.8",[{load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, + [{"4.3.10", + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}]}, + {"4.3.9", + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, + {"4.3.8", + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, {"4.3.7", - [{load_module,emqx_auth_mnesia_api,brutal_purge,soft_purge,[]}, + [{load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mnesia_api,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mnesia_cli,brutal_purge,soft_purge,[]}]}, {<<"4\\.3\\.[5-6]">>, - [{load_module,emqx_auth_mnesia_app,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mnesia,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mnesia_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mnesia,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mnesia_api,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mnesia_db,brutal_purge,soft_purge,[]}, diff --git a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.erl b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.erl index 5a36be59b..35bea5fde 100644 --- a/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.erl +++ b/apps/emqx_auth_mnesia/src/emqx_auth_mnesia.erl @@ -70,6 +70,9 @@ check(ClientInfo = #{ clientid := Clientid ?LOG(info, "[Mnesia] Auth from mnesia failed: ~p", [Info]), {stop, AuthResult#{anonymous => false, auth_result => password_error}}; _ -> + ?LOG_SENSITIVE(debug, + "[Mnesia] Auth from mnesia succeeded, Client: ~p", + [ClientInfo]), {stop, AuthResult#{anonymous => false, auth_result => success}} end end. diff --git a/apps/emqx_auth_mongo/src/emqx_acl_mongo.erl b/apps/emqx_auth_mongo/src/emqx_acl_mongo.erl index a7487dd07..2f069478b 100644 --- a/apps/emqx_auth_mongo/src/emqx_acl_mongo.erl +++ b/apps/emqx_auth_mongo/src/emqx_acl_mongo.erl @@ -38,8 +38,16 @@ check_acl(ClientInfo, PubSub, Topic, _AclResult, Env = #{aclquery := AclQuery}) [] -> ok; Rows -> try match(ClientInfo, Topic, topics(PubSub, Rows)) of - matched -> {stop, allow}; - nomatch -> {stop, deny} + matched -> + ?LOG_SENSITIVE(debug, + "[MongoDB] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, allow}; + nomatch -> + ?LOG_SENSITIVE(debug, + "[MongoDB] Deny Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, deny} catch _Err:Reason-> ?LOG(error, "[MongoDB] Check mongo ~p ACL failed, got ACL config: ~p, error: :~p", diff --git a/apps/emqx_auth_mongo/src/emqx_auth_mongo.app.src b/apps/emqx_auth_mongo/src/emqx_auth_mongo.app.src index 2849fe0a8..0677f118b 100644 --- a/apps/emqx_auth_mongo/src/emqx_auth_mongo.app.src +++ b/apps/emqx_auth_mongo/src/emqx_auth_mongo.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_mongo, [{description, "EMQ X Authentication/ACL with MongoDB"}, - {vsn, "4.4.5"}, % strict semver, bump manually! + {vsn, "4.4.6"}, % strict semver, bump manually! {modules, []}, {registered, [emqx_auth_mongo_sup]}, {applications, [kernel,stdlib,mongodb,ecpool]}, diff --git a/apps/emqx_auth_mongo/src/emqx_auth_mongo.appup.src b/apps/emqx_auth_mongo/src/emqx_auth_mongo.appup.src index eb62a4a57..b3c2b92ef 100644 --- a/apps/emqx_auth_mongo/src/emqx_auth_mongo.appup.src +++ b/apps/emqx_auth_mongo/src/emqx_auth_mongo.appup.src @@ -1,12 +1,19 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.4.4",[{load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, + [{"4.4.5", + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, + {"4.4.4", + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, {<<"4\\.4\\.[2-3]">>, - [{load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, {"4.4.1", - [{load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mongo_sup,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, {"4.4.0", @@ -15,12 +22,19 @@ {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}], - [{"4.4.4",[{load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, - {<<"4\\.4\\.[2-3]">>, - [{load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, + [{"4.4.5", + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, + {"4.4.4", + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, + {<<"4\\.4\\.[2-3]">>, + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, {"4.4.1", - [{load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mongo,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mongo_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mongo_sup,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mongo,brutal_purge,soft_purge,[]}]}, {"4.4.0", diff --git a/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl b/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl index 1c8c18ce3..9ca272c65 100644 --- a/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl +++ b/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl @@ -68,6 +68,9 @@ check(ClientInfo = #{password := Password}, AuthResult, case Result of ok -> ?tp(emqx_auth_mongo_superuser_check_authn_ok, #{}), + ?LOG_SENSITIVE(debug, + "[MongoDB] Auth from mongo succeeded, Client: ~p", + [ClientInfo]), {stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo), anonymous => false, auth_result => success}}; diff --git a/apps/emqx_auth_mysql/src/emqx_acl_mysql.erl b/apps/emqx_auth_mysql/src/emqx_acl_mysql.erl index 436c69d5f..a5b0f86b2 100644 --- a/apps/emqx_auth_mysql/src/emqx_acl_mysql.erl +++ b/apps/emqx_auth_mysql/src/emqx_acl_mysql.erl @@ -29,8 +29,16 @@ check_acl(ClientInfo, PubSub, Topic, NoMatchAction, #{pool := Pool} = State) -> case do_check_acl(Pool, ClientInfo, PubSub, Topic, NoMatchAction, State) of ok -> ok; - {stop, allow} -> {stop, allow}; - {stop, deny} -> {stop, deny} + {stop, allow} -> + ?LOG_SENSITIVE(debug, + "[MySQL] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, allow}; + {stop, deny} -> + ?LOG_SENSITIVE(debug, + "[MySQL] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, deny} end. do_check_acl(_Pool, #{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) -> diff --git a/apps/emqx_auth_mysql/src/emqx_auth_mysql.app.src b/apps/emqx_auth_mysql/src/emqx_auth_mysql.app.src index b6d1ef811..abfa86c5f 100644 --- a/apps/emqx_auth_mysql/src/emqx_auth_mysql.app.src +++ b/apps/emqx_auth_mysql/src/emqx_auth_mysql.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_mysql, [{description, "EMQ X Authentication/ACL with MySQL"}, - {vsn, "4.3.4"}, % strict semver, bump manually! + {vsn, "4.3.5"}, % strict semver, bump manually! {modules, []}, {registered, [emqx_auth_mysql_sup]}, {applications, [kernel,stdlib,mysql,ecpool]}, diff --git a/apps/emqx_auth_mysql/src/emqx_auth_mysql.appup.src b/apps/emqx_auth_mysql/src/emqx_auth_mysql.appup.src index 5cc4fbc7b..a0a6b036d 100644 --- a/apps/emqx_auth_mysql/src/emqx_auth_mysql.appup.src +++ b/apps/emqx_auth_mysql/src/emqx_auth_mysql.appup.src @@ -1,10 +1,17 @@ %% -*- mode: erlang -*- +%% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.3.3", + [{"4.3.4", [{load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}]}, + {"4.3.3", + [{load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}]}, {<<"4\\.3\\.[1-2]">>, - [{load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}]}, {"4.3.0", @@ -13,11 +20,17 @@ {load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}], - [{"4.3.3", + [{"4.3.4", [{load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}]}, + {"4.3.3", + [{load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}]}, {<<"4\\.3\\.[1-2]">>, - [{load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_mysql_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}]}, {"4.3.0", @@ -25,5 +38,4 @@ {load_module,emqx_auth_mysql_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_mysql,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_mysql,brutal_purge,soft_purge,[]}]}, - {<<".*">>,[]}] -}. + {<<".*">>,[]}]}. diff --git a/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl b/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl index ac35e6ce6..94045e1ad 100644 --- a/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl +++ b/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl @@ -46,6 +46,9 @@ check(ClientInfo = #{password := Password}, AuthResult, end, case CheckPass of ok -> + ?LOG_SENSITIVE(debug, + "[MySQL] Auth from mysql succeeded, Client: ~p", + [ClientInfo]), {stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo), anonymous => false, auth_result => success}}; diff --git a/apps/emqx_auth_pgsql/src/emqx_acl_pgsql.erl b/apps/emqx_auth_pgsql/src/emqx_acl_pgsql.erl index ee385cd16..1afb93975 100644 --- a/apps/emqx_auth_pgsql/src/emqx_acl_pgsql.erl +++ b/apps/emqx_auth_pgsql/src/emqx_acl_pgsql.erl @@ -36,9 +36,17 @@ do_check_acl(Pool, ClientInfo, PubSub, Topic, _NoMatchAction, #{acl_query := {Ac {ok, _, Rows} -> Rules = filter(PubSub, compile(Rows)), case match(ClientInfo, Topic, Rules) of - {matched, allow} -> {stop, allow}; - {matched, deny} -> {stop, deny}; - nomatch -> ok + {matched, allow} -> + ?LOG_SENSITIVE(debug, + "[Postgres] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, allow}; + {matched, deny} -> + ?LOG_SENSITIVE(debug, + "[Postgres] Deny Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, deny}; + nomatch -> ok end; {error, Reason} -> ?LOG(error, "[Postgres] do_check_acl error: ~p~n", [Reason]), @@ -105,4 +113,3 @@ empty(null) -> true; empty("") -> true; empty(<<>>) -> true; empty(_) -> false. - diff --git a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.app.src b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.app.src index 47929bc65..96a810d7c 100644 --- a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.app.src +++ b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_pgsql, [{description, "EMQ X Authentication/ACL with PostgreSQL"}, - {vsn, "4.4.4"}, % strict semver, bump manually! + {vsn, "4.4.5"}, % strict semver, bump manually! {modules, []}, {registered, [emqx_auth_pgsql_sup]}, {applications, [kernel,stdlib,epgsql,ecpool]}, diff --git a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.appup.src b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.appup.src index d5a641a66..98826f918 100644 --- a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.appup.src +++ b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.appup.src @@ -1,20 +1,29 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.4.3", - [{load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, + [{"4.4.4", + [{load_module,emqx_acl_pgsql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_pgsql,brutal_purge,soft_purge,[]}]}, + {"4.4.3", + [{load_module,emqx_acl_pgsql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_pgsql,brutal_purge,soft_purge,[]}]}, {<<"4\\.4\\.[0-2]">>, - [{load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_pgsql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_pgsql,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_pgsql_app,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}], - [{"4.4.3", - [{load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, + [{"4.4.4", + [{load_module,emqx_acl_pgsql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_pgsql,brutal_purge,soft_purge,[]}]}, + {"4.4.3", + [{load_module,emqx_acl_pgsql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_pgsql,brutal_purge,soft_purge,[]}]}, {<<"4\\.4\\.[0-2]">>, - [{load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_pgsql,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_pgsql_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_pgsql,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_pgsql_app,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}]}. - diff --git a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl index 6bdc53941..8f75c1279 100644 --- a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl +++ b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl @@ -45,6 +45,9 @@ check(ClientInfo = #{password := Password}, AuthResult, end, case CheckPass of ok -> + ?LOG_SENSITIVE(debug, + "[Postgres] Auth from pgsql succeeded, Client: ~p", + [ClientInfo]), {stop, AuthResult#{is_superuser => is_superuser(Pool, SuperQuery, ClientInfo), anonymous => false, auth_result => success}}; diff --git a/apps/emqx_auth_redis/src/emqx_acl_redis.erl b/apps/emqx_auth_redis/src/emqx_acl_redis.erl index 2fcdb9592..74a68905c 100644 --- a/apps/emqx_auth_redis/src/emqx_acl_redis.erl +++ b/apps/emqx_auth_redis/src/emqx_acl_redis.erl @@ -33,8 +33,16 @@ check_acl(ClientInfo, PubSub, Topic, _AclResult, {ok, []} -> ok; {ok, Rules} -> case match(ClientInfo, PubSub, Topic, Rules) of - allow -> {stop, allow}; - nomatch -> {stop, deny} + allow -> + ?LOG_SENSITIVE(debug, + "[Redis] Allow Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, allow}; + nomatch -> + ?LOG_SENSITIVE(debug, + "[Redis] Deny Topic: ~p, Action: ~p for Client: ~p", + [Topic, PubSub, ClientInfo]), + {stop, deny} end; {error, Reason} -> ?LOG(error, "[Redis] do_check_acl error: ~p", [Reason]), @@ -71,4 +79,3 @@ feed_var(Str, Var, Val) -> b2i(Bin) -> list_to_integer(binary_to_list(Bin)). description() -> "Redis ACL Module". - diff --git a/apps/emqx_auth_redis/src/emqx_auth_redis.app.src b/apps/emqx_auth_redis/src/emqx_auth_redis.app.src index 80827507b..0fb0ecaff 100644 --- a/apps/emqx_auth_redis/src/emqx_auth_redis.app.src +++ b/apps/emqx_auth_redis/src/emqx_auth_redis.app.src @@ -1,6 +1,6 @@ {application, emqx_auth_redis, [{description, "EMQ X Authentication/ACL with Redis"}, - {vsn, "4.3.4"}, % strict semver, bump manually! + {vsn, "4.3.5"}, % strict semver, bump manually! {modules, []}, {registered, [emqx_auth_redis_sup]}, {applications, [kernel,stdlib,eredis,eredis_cluster,ecpool]}, diff --git a/apps/emqx_auth_redis/src/emqx_auth_redis.appup.src b/apps/emqx_auth_redis/src/emqx_auth_redis.appup.src index 8ce75dbeb..c3c25571a 100644 --- a/apps/emqx_auth_redis/src/emqx_auth_redis.appup.src +++ b/apps/emqx_auth_redis/src/emqx_auth_redis.appup.src @@ -1,11 +1,15 @@ %% -*- mode: erlang -*- %% Unless you know what you are doing, DO NOT edit manually!! {VSN, - [{"4.3.3", - [{load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}, + [{"4.3.4", + [{load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}]}, + {"4.3.3", + [{load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_redis_cli,brutal_purge,soft_purge,[]}]}, {<<"4\\.3\\.[1-2]">>, - [{load_module,emqx_auth_redis_cli,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_redis_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_redis_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}]}, {"4.3.0", @@ -14,11 +18,15 @@ {load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}, {load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}]}, {<<".*">>,[]}], - [{"4.3.3", - [{load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}, + [{"4.3.4", + [{load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}]}, + {"4.3.3", + [{load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_redis_cli,brutal_purge,soft_purge,[]}]}, {<<"4\\.3\\.[1-2]">>, - [{load_module,emqx_auth_redis_cli,brutal_purge,soft_purge,[]}, + [{load_module,emqx_acl_redis,brutal_purge,soft_purge,[]}, + {load_module,emqx_auth_redis_cli,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_redis_app,brutal_purge,soft_purge,[]}, {load_module,emqx_auth_redis,brutal_purge,soft_purge,[]}]}, {"4.3.0", diff --git a/changes/v4.4.15-en.md b/changes/v4.4.15-en.md index 870093ac3..260166da2 100644 --- a/changes/v4.4.15-en.md +++ b/changes/v4.4.15-en.md @@ -14,6 +14,8 @@ - Now the corresponding session will be kicked when client is banned by `clientid` [#9904](https://github.com/emqx/emqx/pull/9904). +- Add more debug logs for authentication and ACL [#9943](https://github.com/emqx/emqx/pull/9943). + ## Bug fixes - Fixed an error when forward MQTT messages with User-Property using the `republish` action [#9942](https://github.com/emqx/emqx/pull/9942). diff --git a/changes/v4.4.15-zh.md b/changes/v4.4.15-zh.md index dd00ce912..a382e0c94 100644 --- a/changes/v4.4.15-zh.md +++ b/changes/v4.4.15-zh.md @@ -14,6 +14,8 @@ - 现在客户端通过 `clientid` 被封禁时将会踢掉对应的会话 [#9904](https://github.com/emqx/emqx/pull/9904)。 +- 为认证和授权添加了更多调试日志 [#9943](https://github.com/emqx/emqx/pull/9943)。 + ## 修复 - 修复使用 `消息重发布` 动作转发带 User-Property 的 MQTT 消息时出错的问题 [#9942](https://github.com/emqx/emqx/pull/9942)。