Authorization with mongo

kowiste · May 10, 2023, 2:05pm

I have working the authentication with the follow configuration (I remove some part from this):

authentication = [
  {
    backend = "mongodb"
    collection = "users"
    database = "sys_mqtt"
    enable = true
    filter {clientid = "${clientid}", username = "${username}"}
    is_superuser_field = "superuser"
    mechanism = "password_based"
    mongo_type = "single"
    password = "password0001"
    password_hash_algorithm {
      iterations = 5000
      mac_fun = "sha512"
      name = "pbkdf2"
    }
    password_hash_field = "password"
    pool_size = 8
    salt_field = "salt"
    server = "mongo:27017"
    srv_record = false
    ssl {
      ciphers = []
      depth = 10
      enable = false
      hibernate_after = "5s"
      reuse_sessions = true
      secure_renegotiate = true
      user_lookup_fun = "emqx_tls_psk:lookup"
      verify = "verify_peer"
      versions = ["tlsv1.3", "tlsv1.2", "tlsv1.1", "tlsv1"]
    }
    topology {
      connect_timeout_ms = "20s"
      heartbeat_frequency_ms = "200s"
      max_overflow = 0
      pool_size = 8
    }
    username = "admin"
  }
]
authorization {
  cache {
    enable = true
    max_size = 32
    ttl = "1m"
  }
  deny_action = "ignore"
  no_match = "allow"
  sources = [
    {
      collection = "users"
      database = "sys_mqtt"
      enable = true
      filter {username = "${username}"}
      mongo_type = "single"
      password = "password0001"
      pool_size = 8
      server = "mongo:27017"
      srv_record = false
      ssl {
        ciphers = []
        depth = 10
        enable = false
        hibernate_after = "5s"
        reuse_sessions = true
        secure_renegotiate = true
        user_lookup_fun = "emqx_tls_psk:lookup"
        verify = "verify_peer"
        versions = ["tlsv1.3", "tlsv1.2", "tlsv1.1", "tlsv1"]
      }
      topology {
        connect_timeout_ms = "20s"
        heartbeat_frequency_ms = "200s"
        max_overflow = 0
        pool_size = 8
      }
      type = "mongodb"
      username = "admin"
    }
  ]
}

In my database I have this :

{
  "_id": {
    "$oid": "645b41478c94152587d7dba4"
  },
  "username": "pablo",
  "password": "75ae76beb7e93b2fdb8553cf8615dcdf3562b11ff49813230309bbad92134f344739b848174db73fd16363623340426c6754732c95075286c895d052ee820eaf",
  "superuser": false,
  "clientid": "645b41478c94152587d7dba4",
  "permission": "allow",
  "action": "all",
  "topics": [
    "/client/645b41478c94152587d7dba4/measure/",
    "/client/645b41478c94152587d7dba4/process/",
    "/client/645b41478c94152587d7dba4/status/",
    "/client/645b41478c94152587d7dba4/command/"
  ]
}

I see here that for the authorization I need the fields permission, action and topics, but this doesn’t work I can see in the authorization overview that the No match counter increase everytime I connect a client.

What I’m doing wrong?