MQTT Subscription Cleanup Fails for a Client with Expired Credentials
Issue
In a scenario where an MQTT client connects and subscribes with a token from a provider, if the token expires while the client is still connected, the client continues to receive messages. When the client then tries to close and remove the subscription, the operation fails with:
2023-01-12 11:00:33,579 ERROR [org.apache.activemq.artemis.core.protocol.mqtt] AMQ834000: Error removing subscription.: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user from /10.XXX.XXX.XXX:60849. Username: {TOKEN}; SSL certificate subject DN: unavailable]
at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticationFailed(SecurityStoreImpl.java:362) [artemis-server-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:260) [artemis-server-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.destroyQueue(ActiveMQServerImpl.java:2415) [artemis-server-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.destroyQueue(ActiveMQServerImpl.java:2388) [artemis-server-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.deleteQueue(ServerSessionImpl.java:1180) [artemis-server-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTSubscriptionManager.removeSubscription(MQTTSubscriptionManager.java:309) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTSubscriptionManager.clean(MQTTSubscriptionManager.java:381) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTSession.clean(MQTTSession.java:225) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTSession.stop(MQTTSession.java:144) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTConnectionManager.disconnect(MQTTConnectionManager.java:187) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.disconnect(MQTTProtocolHandler.java:270) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.disconnect(MQTTProtocolHandler.java:260) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.core.protocol.mqtt.MQTTProtocolHandler.act(MQTTProtocolHandler.java:195) [artemis-mqtt-protocol-2.21.0.redhat-00041.jar:2.21.0.redhat-00041]
at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:33) [artemis-commons-2.21.0.redhat-00041.jar:]
at org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:67) [artemis-commons-2.21.0.redhat-00041.jar:]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [java.base:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [java.base:]
at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) [artemis-commons-2.21.0.redhat-00041.jar:]
The result is that queues are left orphaned on the broker, leading to eventual memory exhaustion. In the event that there are messages left in the queue, if the client subsequently resubscribes, the messages are delivered to the client, even if it is subscribed with the cleanSession flag set true.
Environment
AMQ Broker 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
