运行 greengrass 的设备从 IoT core 获取设备影子时需要的权限
【以下的问题经过翻译处理】 我正在尝试从AWS IoT 获取事物定义名为cycle_topic的影子。权限/配置让我困惑。在我看来,在ShadowManager中,我为SliceOfPi设备获取count_topic 配置了正确的权限。我相信这是一个权限问题。我的配置哪里出了问题?
以下是各组件的配置:
Configure aws.greengrass.clientdevices.mqtt.Bridge:
{
"reset": [],
"merge": {
"mqttTopicMapping": {
"HelloWorldIotCoreMapping": {
"topic": "#",
"source": "Pubsub",
"target": "IotCore"
}
},
"ShadowsPubsubToLocalMqtt": {
"topic": "$aws/things/+/shadow/#",
"source": "Pubsub",
"target": "LocalMqtt"
}
}
}
Configure aws.greengrass.clientdevices.Auth:
{
"reset": [],
"merge": {
"deviceGroups": {
"formatVersion": "2021-03-05",
"definitions": {
"MyPermissiveDeviceGroup": {
"selectionRule": "thingName: *",
"policyName": "MyPermissivePolicy"
}
},
"policies": {
"MyPermissivePolicy": {
"AllowAll": {
"statementDescription": "Allow client devices to perform all actions.",
"operations": [
"*"
],
"resources": [
"*"
]
}
}
}
}
}
}
aws.greengrass.ShadowManager:
{
"reset": [],
"merge": {
"strategy": {
"type": "realTime"
},
"synchronize": {
"coreThing": {
"classic": true,
"namedShadows": [
"count_topic"
]
},
"shadowDocuments": [
{
"thingName": "SliceOfPi",
"classic": true,
"namedShadows": [
"count_topic"
]
}
],
"direction": "cloudToDevice"
}
}
}
我在greengrass.log中看到的错误日志:
2022-09-20T21:51:46.237Z [WARN] (Thread-4) com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:247) at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:255) at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:73) at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:56) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.lambda$handleRequest$0(GetThingShadowRequestHandler.java:87) at com.aws.greengrass.ipc.common.ExceptionUtil.translateExceptions(ExceptionUtil.java:33) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.handleRequest(GetThingShadowRequestHandler.java:75) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:82) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:28) at software.amazon.awssdk.eventstreamrpc.OperationContinuationHandler.onContinuationMessage(OperationContinuationHandler.java:291) at software.amazon.awssdk.crt.eventstream.ServerConnectionContinuationHandler.onContinuationMessageShim(ServerConnectionContinuationHandler.java:53)
- 最新
- 投票最多
- 评论最多
【以下的回答经过翻译处理】 你是如何尝试访问影子的?我注意到你正在使用 MQTT 桥接组件从 PubSub 桥接到 IoT Core。通常情况下,你不需要这样做,因为组件能够直接发布到 IoT Core。只有当你尝试连接外部客户端设备到Greengrass时,客户端设备身份验证和MQTT桥接组件才是必要的。
根据你提供的跟踪日志,我怀疑您实际上是在使用 GetThingShadow IPC API 来尝试从组件中访问影子。您可以在下面看到授权失败的日志:
com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic
...
你可以通过更新cycle_count组件的accessControl部分来解决这个问题。
https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html#ipc-local-shadow-authorization
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 10 个月前