LoRa Gateway Bridge MQTT authentication and topic authorization

@brocaar
I have recently setup a new LoRa server install on AWS - and configured it for AU.
With my Gateway configured to use the Semtech forwarder directly to the Server on port 1700 - everything works fine.

The problem is - when I attempt to run the lora-gateway-bridge on the Gateway.
The bridge seems to be able to connect fine using SSL - but it is not passing data.

Your troubleshooting page was very helpful:
https://docs.loraserver.io/lora-gateway-bridge/install/debug/

The suggested debug command:

journalctl -f -n 100 -u lora-gateway-bridge

Gives no output…

So - I took at look at /var/log/mosquitto/mosquitto.log and I see this:

(since my bridge on the gateway needed a username/password - I borrowed “loraserver_ns” since I wasn’t sure how to add one for my gateway to use, but that’s a different topic)

510750859: New connection from xxx.xxx.xxx.xxx on port 8886.
1510750859: mosquitto_auth_unpwd_check(loraserver_ns)
1510750859: ** checking backend files
1510750859: getuser(loraserver_ns) AUTHENTICATED=1 by files
1510750859: New client connected from xxx.xxx.xxx.xxx as b9d99d32-a71e-4d50-a94b-41d3663bd7b2 (c1, k30, u’loraserver_ns’).
1510750892: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)
1510750892: SUPERUSER: loraserver_ns
1510750892: user is 0
1510750892: USERNAME: loraserver_ns, TOPIC: gateway/c0ee40ffff293464/stats, acc: 2
1510750892: aclcheck(loraserver_ns, gateway/c0ee40ffff293464/stats, 2) AUTHORIZED=0 by (null)
1510750892: Cached [8B7A7DF24C9FEE999DB3B63B96E3734BB4E91C1F] for (b9d99d32-a71e-4d50-a94b-41d3663bd7b2,loraserver_ns,2)
1510750922: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)
1510750922: aclcheck(loraserver_ns, gateway/c0ee40ffff293464/stats, 2) CACHEDAUTH: 12
1510750952: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)
1510750952: aclcheck(loraserver_ns, gateway/c0ee40ffff293464/stats, 2) CACHEDAUTH: 12
1510750982: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)
1510750982: aclcheck(loraserver_ns, gateway/c0ee40ffff293464/stats, 2) CACHEDAUTH: 12
1510751012: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)
1510751012: aclcheck(loraserver_ns, gateway/c0ee40ffff293464/stats, 2) CACHEDAUTH: 12
1510751042: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)
1510751042: aclcheck(loraserver_ns, gateway/c0ee40ffff293464/stats, 2) CACHEDAUTH: 12
1510751072: mosquitto_auth_acl_check(…, b9d99d32-a71e-4d50-a94b-41d3663bd7b2, loraserver_ns, gateway/c0ee40ffff293464/stats, MOSQ_ACL_WRITE)

I compared these logs to a Gateway with the bridge communicating with my EU server which I setup at the same time as the AU server.

The logs on the working EU setup looks like this:

1510750596: New connection from xxx.xxx.xxx.xxx on port 8886.
1510750596: mosquitto_auth_unpwd_check(loraserver_ns)
1510750596: ** checking backend files
1510750596: getuser(loraserver_ns) AUTHENTICATED=1 by files
1510750596: New client connected from xxx.xxx.xxx.xxx as db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d (c1, k30, u’loraserver_ns’).
1510750597: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750597: SUPERUSER: loraserver_ns
1510750597: user is 0
1510750597: USERNAME: loraserver_ns, TOPIC: gateway/c0ee40ffff29377b/rx, acc: 2
1510750597: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) AUTHORIZED=0 by (null)
1510750597: Cached [7035F21B8A975F860A9A93E79AB6C61B34CFF714] for (db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d,loraserver_ns,2)
1510750597: Cleanup [005DDA60E2DE2A7610B5B9D3C65E0168C70A9EF9]
1510750597: Cleanup [B0D1B20252D504EE11E96E87B6089DEDE1DD2678]
1510750602: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750602: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) CACHEDAUTH: 12
1510750607: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750607: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) CACHEDAUTH: 12
1510750612: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750612: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) CACHEDAUTH: 12
1510750613: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/stats, MOSQ_ACL_WRITE)
1510750613: SUPERUSER: loraserver_ns
1510750613: user is 0
1510750613: USERNAME: loraserver_ns, TOPIC: gateway/c0ee40ffff29377b/stats, acc: 2
1510750613: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/stats, 2) AUTHORIZED=0 by (null)
1510750613: Cached [87C8D437163C7DE7EE38FE5216F2E88BDFC43CBC] for (db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d,loraserver_ns,2)
1510750618: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750618: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) CACHEDAUTH: 12
1510750623: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750623: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) CACHEDAUTH: 12
1510750627: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)
1510750627: aclcheck(loraserver_ns, gateway/c0ee40ffff29377b/rx, 2) CACHEDAUTH: 12
1510750633: mosquitto_auth_acl_check(…, db2fbc37-11a3-46f5-bd4d-8fd04b6ef57d, loraserver_ns, gateway/c0ee40ffff29377b/rx, MOSQ_ACL_WRITE)

To my untrained eye - the logs look pretty much equivalent - except for the “Cached” and “Cleanup” messages in the second (working) log.

I have triple checked that I properly added my gateway to the server - and that the organization allows gateways etc.

I spent hours on this yesterday trying to figure out what was going wrong and didn’t get anywhere.

And again - dumping the bridge and having the Semtech forwarder pointing to port 1700 on the server works perfectly.

Ideas on what I am doing wrong?

Is the loraserver_ns user authorized to publish data onto the gateway/.../(rx|stats) topic? If you are using the Ansible scripts, then probably not:

https://github.com/brocaar/loraserver-setup/blob/master/group_vars/loraserver_hosts.example.yml#L45

I am using the ansible scripts - and that user seemed to work fine on an EU server I setup the same day.
That is why I was using “loraserver_ns”.

However - I would like to do this properly - so what permissions does a user need for this to work from my Gateway?

I’m fine with using one of the stock users:
loraserver_gw
loraserver_ns
loraserver_as

but would prefer to add a customized user just for external use.

-
  user: loraserver_gw
  password: loraserver_gw
  topics:
    - write gateway/+/stats
    - write gateway/+/rx
    - read gateway/+/tx

Write to .../stats and .../rx and read from .../tx

OK,
using “loraserver_gw” fixed the issue.

Next issue - as part of my testing, I need to be able to subscribe to the topics being published by my nodes.

A command line such as this would have worked fine in the past - but gives me no output with this version of the server.

mosquitto_sub -h remote_broker -u loraserver_as/ns/gw -P loraserver_as/ns/gw -t ‘#’ -v -d

I tried loraserver_as, loraserver_ns and loraserver_gw

I’m guessing none of these have the privileges I need?

I looked at the documentation here:
https://docs.loraserver.io/install/mqtt-auth/

and then I followed that by looking at the documentation for the plugin itself:

I tried to create a user ‘biff’ that could read anything sent by a node - and also be able to publish messages to nodes.

Updated password file:

root@ip-172-31-22-31:/etc/mosquitto/mosquitto-auth-plug# cat passwords
loraserver_gw:PBKDF2$sha256$100000$3R2UdLsj8+8lutRp$vse9VeO3iVf5ycY+E+oqlJ3PZwCsxcZl
loraserver_ns:PBKDF2$sha256$100000$olN2K/mQ05wD2W7m$RZPp5KBn9+oakOf/ICZHQxZ6OMkG2HUy
loraserver_as:PBKDF2$sha256$100000$x3W7S3sq5/w8iogV$/89bCJOgQakeMaFiToakiLba45DVk0u0
biff:PBKDF2$sha256$901$xQXPmQ/EPUK0QYIB$NABlkL1XO2C395W89lltFYhZE7Z6H7Yh

My addition to the acl file:

user biff
topic read application/+/node/+/rx
topic write application/+/node/+/rx
topic read application/+/node/+/tx
topic write application/+/node/+/tx
topic read application/+/node/+/join
topic read gateway/+/tx
topic read gateway/+/stats

Not totally unsurprisingly, I can’t authenticate with that user:

1510863040: GETTING USERS: biff
1510863040: getuser(biff) AUTHENTICATED=0 by none
1510863040: Socket error on client , disconnecting.

Suggestions?