运行 greengrass 的设备从 IoT core 获取设备影子时需要的权限

0

【以下的问题经过翻译处理】 我正在尝试从AWS IoT 获取事物定义名为cycle_topic的影子。权限/配置让我困惑。在我看来,在ShadowManager中,我为SliceOfPi设备获取count_topic 配置了正确的权限。我相信这是一个权限问题。我的配置哪里出了问题?

以下是各组件的配置:

Configure aws.greengrass.clientdevices.mqtt.Bridge:

{
  "reset": [],
  "merge": {
    "mqttTopicMapping": {
      "HelloWorldIotCoreMapping": {
        "topic": "#",
        "source": "Pubsub",
        "target": "IotCore"
      }
    },
    "ShadowsPubsubToLocalMqtt": {
      "topic": "$aws/things/+/shadow/#",
      "source": "Pubsub",
      "target": "LocalMqtt"
    }
  }
}

Configure aws.greengrass.clientdevices.Auth:

{
  "reset": [],
  "merge": {
    "deviceGroups": {
      "formatVersion": "2021-03-05",
      "definitions": {
        "MyPermissiveDeviceGroup": {
          "selectionRule": "thingName: *",
          "policyName": "MyPermissivePolicy"
        }
      },
      "policies": {
        "MyPermissivePolicy": {
          "AllowAll": {
            "statementDescription": "Allow client devices to perform all actions.",
            "operations": [
              "*"
            ],
            "resources": [
              "*"
            ]
          }
        }
      }
    }
  }
}

aws.greengrass.ShadowManager:

{
  "reset": [],
  "merge": {
    "strategy": {
      "type": "realTime"
    },
    "synchronize": {
      "coreThing": {
        "classic": true,
        "namedShadows": [
          "count_topic"
        ]
      },
      "shadowDocuments": [
        {
          "thingName": "SliceOfPi",
          "classic": true,
          "namedShadows": [
            "count_topic"
          ]
        }
      ],
      "direction": "cloudToDevice"
    }
  }
}

我在greengrass.log中看到的错误日志:

2022-09-20T21:51:46.237Z [WARN] (Thread-4) com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:247) at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:255) at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:73) at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:56) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.lambda$handleRequest$0(GetThingShadowRequestHandler.java:87) at com.aws.greengrass.ipc.common.ExceptionUtil.translateExceptions(ExceptionUtil.java:33) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.handleRequest(GetThingShadowRequestHandler.java:75) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:82) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:28) at software.amazon.awssdk.eventstreamrpc.OperationContinuationHandler.onContinuationMessage(OperationContinuationHandler.java:291) at software.amazon.awssdk.crt.eventstream.ServerConnectionContinuationHandler.onContinuationMessageShim(ServerConnectionContinuationHandler.java:53)

profile picture
专家
已提问 6 个月前24 查看次数
1 回答
0

【以下的回答经过翻译处理】 你是如何尝试访问影子的?我注意到你正在使用 MQTT 桥接组件从 PubSub 桥接到 IoT Core。通常情况下,你不需要这样做,因为组件能够直接发布到 IoT Core。只有当你尝试连接外部客户端设备到Greengrass时,客户端设备身份验证和MQTT桥接组件才是必要的。

根据你提供的跟踪日志,我怀疑您实际上是在使用 GetThingShadow IPC API 来尝试从组件中访问影子。您可以在下面看到授权失败的日志:

com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic
...

你可以通过更新cycle_count组件的accessControl部分来解决这个问题。 https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html#ipc-local-shadow-authorization

profile picture
专家
已回答 6 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则