【问题标题】:Greengrass V2 continuously giving me MqttProxyIPCAgent Not AuthorizedGreengrass V2 不断给我 MqttProxyIPCAgent Not Authorized
【发布时间】:2022-01-26 03:10:43
【问题描述】:

我有以下 Greengrass V2 自定义配方:

---
RecipeFormatVersion: "2020-01-25"
ComponentName: com.savic.Telemetry
ComponentVersion: 1.0.12
ComponentDescription: Vehicle telemetry consisting of CAN and additional messages
ComponentPublisher: ##############
ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/{configuration:/Environment}/telemetry/events
Manifests:
  - Platform:
      os: linux
    Lifecycle:
      Setenv:
        SAVICMC_ENV: "{configuration:/Environment}"
        SAVIC_SENDLOG_PATH: "/var/log/sendLog.txt"
        SAVIC_SAMPLE_RATE: 10
        SAVIC_TELEMETRY_TOPIC: "savicmc/{configuration:/Environment}/telemetry/events"
      Install:
        RequiresPrivilege: true
        script: python3 -m pip install --user awsiotsdk
      Run:
        RequiresPrivilege: true
        script: python3 -u {artifacts:path}/telemetry.py
    Artifacts:
      - Uri: s3://greengrass-components-#############-############/artifacts/com.savic.Telemetry/1.0.12/telemetry.py
        Permission:
          Execute: OWNER

注意:我还尝试了 accessControl 的变体:

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:mqttproxy:2:

 ------ AND --------

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:pubsub:2:

(注意:pubsub 与 mqttproxy)

但是,在我的 greengrass.log 中,我不断收到以下信息:

2022-01-24T06:29:45.178Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 1141, Class ServerConnection, Refs 1](2022-01-24T06:29:45.178120Z) - <null>. {}
2022-01-24T06:29:45.181Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.savic.Telemetry. {}
2022-01-24T06:29:45.184Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.savic.Telemetry. {}
2022-01-24T06:29:45.185Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.savic.Telemetry. {}
2022-01-24T06:29:45.191Z [INFO] (Thread-8) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

注意:

com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

我的 Thing 设备证书也有一个允许 iot:*greengrass:* 的策略,因此从策略/IAM 的角度来看,我可以发布。

任何想法为什么我在设备上获得未授权?

【问题讨论】:

    标签: amazon-web-services aws-iot aws-iot-core greengrass aws-iot-greengrass


    【解决方案1】:

    Recipes variables 仅在配方的生命周期部分受支持。因此,accessControl 中的 {configuration:/Environment} 字符串无法解析为您期望的值。

    savicmc/{configuration:/Environment}/telemetry/events
    

    您可以将默认accessControl 更改为默认使用Environment 的值,这样当您使用默认值时组件会按预期工作。

    ComponentConfiguration:
      DefaultConfiguration:
        Environment: nonprod
        accessControl:
          aws.greengrass.ipc.mqttproxy:
            com.savic.Telemetry:pubsub:2:
              policyDescription: Allows access to publish to telemetry topic
              operations:
                - aws.greengrass#PublishToIoTCore
              resources:
                - savicmc/nonprod/telemetry/events
    

    当您configure and deploy the component 使用不同的Environment 值时,您还可以更新accessControl 中的主题。例如,您可以指定以下configuration merge update,将Environment和资源主题更改为prod

    {
      "Environment": "prod"
      "accessControl": {
        "aws.greengrass.ipc.mqttproxy": {
          "com.savic.Telemetry:pubsub:2": {
            "resources": {
              "savicmc/prod/telemetry/events
            }
          }
        }
      }
    }
    

    【讨论】:

    • 谢谢!在我发布问题后不久,我实际上最终弄清楚了你的两个答案。首先,我认为是配方变量没有在 accessControl 内部进行评估 - 这对我不起作用,然后正如你所指出的,它也是不断填充我的合并。我在这两个方面都接受了这个答案。谢谢。
    猜你喜欢
    • 1970-01-01
    • 2015-08-03
    • 1970-01-01
    • 1970-01-01
    • 2014-12-14
    • 2021-10-30
    • 1970-01-01
    • 1970-01-01
    • 2014-11-09
    相关资源
    最近更新 更多