/
"Not authorized" Errors and Empty Permissions in Enterprise Security Extension Configuration

"Not authorized" Errors and Empty Permissions in Enterprise Security Extension Configuration

 Problem

You may encounter the following issues when using HiveMQ with the Enterprise Security Extension (ESE):

  1. "Not authorized" error when a client attempts to publish or subscribe.

  2. The HiveMQ access.log show successful authorisation but no permissions assigned:

authorization-succeeded - Client succeeded authorization: ID /devices/lxcj-p43a-xa8s-crpf, IP 10.224.0.5, permissions [].

These symptoms indicate that while the client is authenticated correctly, it is not authorized due to incorrect or missing permission configuration.

Root cause

This behavior can occur if:

  1. The ESE configuration uses role-based permissions, but user-specific permissions were intended or vice versa

  2. Incorrect roles or permissions are assigned to the user in the SQL database or File-realm. Check the SQL backend to verify the user has the correct permissions set.

  3. The ESE is misconfigured to retrieve permissions via roles when it should use direct user permissions.

Misconfigured example:

<use-authorization-key>false</use-authorization-key> <use-authorization-role-key>true</use-authorization-role-key>

This will cause ESE to fetch permissions based on roles, and if none are found or mapped incorrectly, it returns permissions [], causing "Not authorized" errors on publish or subscribe.

Solution

If you are using user-specific permissions (not roles), update your ESE configuration as follows:

<use-authorization-key>true</use-authorization-key> <use-authorization-role-key>false</use-authorization-role-key>

This ensures that the broker uses the user’s explicit permissions instead of attempting to derive them from roles.

Restart HiveMQ broker or the Enterprise Security Extension to apply changes for extension configurations.

 Related articles