I have a problem in configuring mqtt engine,
when i create an admin user with 'RW #' , it's working fine, but when i try to give him limited access like 'RW spBv1.0/GroupID1/#' with another user, engine is disconnected and blinking between connected and disconnected.
the mqtt publisher is working properly with the ACL rules, i tested it with external client and it is ok.
Did you check the Ignition logs? They're usually pretty good to giving an indication of the problem.
Also, do you have the Primary Host configured in Engine? That would result in Engine publishing on a topic not allowed by the new ACL.
The log says that engine server failed to subscribe to topics,
What kind of primary host configuration should i check?, i am using default set with enabled primary host id
ACLs are case sensitive, so you have to make sure they are perfect. But, can you show a screenshot of your Transmitter configuration (on the Edge side - MQTT Transmission)? Where are you configuring GroupID1, GroupID2, and GroupID3? You aren't showing those in your screenshots. If those Sparkplug IDs don't exist, then it might be why you are getting that error.
You may need to add a custom Group Id filter to Engine (under Namespaces tab). Otherwise, it makes a subscription of 'spBv1.0/#', which would fail.
Yeah, that was going to be my next suggestion after confirming GroupID1, GroupID2, and GroupID3 actually exist.
@Ahmed_badawi1, on the Engine gateway, go to MQTT Engine Settings > Namespaces tab > Default tab > Click Edit on SparkPlug B > Filtered tab > Click 'Create new Topic Token Filter...", and then create a filter for GroupID1, GroupID2, and GroupID3 separately. These Namespaces are required for ACLs to access specific Sparkplug IDs.
Yes, i created GroupID,NodeID,DeviceID for each transmitter, unfortunately server is not available now but the sparkplug IDs is GroupID1,2,3/NodeID1,2,3/DeviceID1,2,3 for each transmitter 1,2,3,
About filters, i didn't try it but admin user with RW # is working properly without filters!
Yes, admin user will work without filters because it is a wildcard subscription to everything. I'm pretty sure the issue is the Namespace Filter for GroupID1/2/3.
Yep, that looks good. Thanks. Try configuring those Namespace Filters on the Engine side and let us know if that solves your problem.
this is the filters, but the problem is still existed,
this is the logs,
the details of the message is
"org.eclipse.paho.client.mqttv3.MqttSecurityException: Not authorized to connect
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:1053)
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:151)
at java.base/java.lang.Thread.run(Unknown Source)"
That's failing on topic: spBv1.0/STATE/Default_Set_Primary_Host_ID_user1. It's not failing on GroupID1, so I think we are getting closer.
Try changing your ACL to this: R #, W spBv1.0/GroupID1/#. This would allow user1 to read all, but only write to GroupID1.
You'll also need to add W spBv1.0/STATE/# to the ACL. Or disable Primary Host in Engine.
It looks like user1 is trying to write to GroupID3.
You may want to open a support ticket with Cirrus-Link at this point. They respond quickly and can walk you through all of this and explain when to turn on or off certain things better than us volunteers.
1 Like
Ok, thanks, i will post the solution when it's solved inshallah
1 Like