1

我正在尝试作为 Java AWS IoT 设备 SDK 一部分的 ShadowSample 示例 - https://github.com/aws/aws-iot-device-sdk-java/blob/master/aws-iot-device-sdk- java-samples/src/main/java/com/amazonaws/services/iot/client/sample/shadow/ShadowSample.java

我能够成功运行它并且它工作正常。但是,当我将以下策略附加到证书(以及证书依次到设备)时,它可以正常工作 -

{
  "Version": "2012-10-17",
  "Statement": [
  {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe",
        "iot:Receive",
        "iot:Publish",
        "iot:Connect"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

我想要一个通用且严格的政策(尤其是对于发布和接收操作),而不是授予所有资源,即“*”资源。所以,我用下面的表格更新了政策,但都不起作用——

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Subscribe", "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete", ] }, { "Effect": "Allow", "Action": [ "iot:Receive" ], "Resource": [ "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/accepted", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/rejected", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/delta", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/documents", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/accepted", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/rejected", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/accepted", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/rejected", ] } ] }

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Subscribe", "iot:Connect" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update/*", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/get/*", "arn:aws:iot:us-west-2:64867635xxxx:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/delete/*", ] } ] }

注意 - 出于安全目的,我已将 xxxx 放在帐号中。在实际政策中,我有正确的价值观。

我什至将主题中的 * 替换为 #,但同样的结果仍在继续。结果是——

Oct 25, 2017 9:32:43 AM com.amazonaws.services.iot.client.mqtt.AwsIotMqttConnectionListener onFailure
WARNING: Connect request failure
Unable to connect to server (32103) - java.net.ConnectException: Connection timed out: connect
    at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:94)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:103)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:701)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection timed out: connect
    at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:80)
    ... 9 more

Oct 25, 2017 9:32:43 AM com.amazonaws.services.iot.client.core.AwsIotConnection onConnectionFailure
INFO: Connection temporarily lost

在 AWS CloudWatch 上,在 AWS IoT 特定日志下,我发现 -

2017-10-25 04:10:22.633 TRACEID:1db8b391-83c7-faf3-5aeb-c0d106787afe PRINCIPALID:e7ac813cdcbecffebecef9647a166882f93f5a2aa214cb6bbd9a1e41f7832f76 [ERROR] EVENT:MQTT Client Connect MESSAGE:Connect Status: AUTHORIZATION_ERROR

支持发布和接收操作的通用和严格的政策应该是什么?

请注意,当我尝试 pub-sub 示例(也在同一个 SDK 中提供)时,我尝试过的上述策略运行良好。这些策略不适用于影子示例,因为有一个附加步骤将设备附加到连接客户端。

另一个小查询:我将如何以通用方式最小化或限制订阅操作的主题订阅,因为变量替换(如事物类型、事物名称)不适用于订阅(但适用于接收和发布)?

4

1 回答 1

2

您的 MQTT 客户端 ID 是否与您的事物名称相同?

我最近在尝试创建使用事物属性的策略时遇到了类似的问题。它并没有像我预期的那样将我的 Cognito Identity 附加到 Thing 上。直到我更改了我的 MQTT 客户端 ID,然后正确地提取了事物属性,我的策略才起作用。我希望每个客户都有一个事物,但由于 MQTT 客户端 ID 必须是唯一的,而且它也是将连接附加到事物的原因,因此我需要为每个客户的每个设备创建一个事物。

我相信,将身份主体附加到事物并使用 MQTT 客户端 ID 将连接附加到事物的原因是因为您实际上可以将相同的身份主体附加到多个事物,而在后端它不会知道您应该连接的确切内容。这允许您在多个设备上为同一客户重复使用相同的身份,这更符合 Cognito 的工作方式。它还可以防止证书或 Cognito 身份附加到它没有权限的事物上。

让我知道这是否有帮助。

于 2017-11-14T00:59:10.530 回答