weixin_39900286
weixin_39900286
2021-01-12 03:23

AccessRules: Account does not have the right to perform the operation

What version of ejabberd are you using? ejabberd 17.01

I am trying to use oauth rest api for connecting from external server. I have sucessfully generated token. But when I tried to get connected users, I got the below error.

AccessRules: Account does not have the right to perform the operation error message

Code :- curl_setopt_array($curl, array( CURLOPT_PORT => "5280", CURLOPT_URL => "http://Ip:5280/api/get_roster", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"host\":\"localhost\",\"user\":\"testuser\"}", CURLOPT_HTTPHEADER => array( "Authorization: bearer Token", "cache-control: no-cache", "content-type: application/json", "X-Admin: true" ), ));

My yml file


###
###'              ejabberd configuration file
###
###

### The parameters used in this configuration file are explained in more detail
### in the ejabberd Installation and Operation Guide.
### Please consult the Guide in case of doubts, it is included with
### your copy of ejabberd, and is also available online at
### http://www.process-one.net/en/ejabberd/docs/

### The configuration file is written in YAML.
### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
### However, ejabberd treats different literals as different types:
###
### - unquoted or single-quoted strings. They are called "atoms".
###   Example: dog, 'Jupiter', '3.14159', YELLOW
###
### - numeric literals. Example: 3, -45.0, .0
###
### - quoted or folded strings.
###   Examples of quoted string: "Lizzard", "orange".
###   Example of folded string:
###   > Art thou not Romeo,
###     and a Montague?

###.  =======
###'  LOGGING

##
## loglevel: Verbosity of log files generated by ejabberd.
## 0: No ejabberd log at all (not recommended)
## 1: Critical
## 2: Error
## 3: Warning
## 4: Info
## 5: Debug
##
loglevel: 4

##
## rotation: Describe how to rotate logs. Either size and/or date can trigger
## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
## does not disable rotation, it instead rotates the file and keeps no previous
## versions around. Setting size to X rotate log when it reaches X bytes.
## To disable rotation set the size to 0 and the date to ""
## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
## Some examples:
##  $D0     rotate every night at midnight
##  $D23    rotate every day at 23:00 hr
##  $W0D23  rotate every week on Sunday at 23:00 hr
##  $W5D16  rotate every week on Friday at 16:00 hr
##  $M1D0   rotate on the first day of every month at midnight
##  $M5D6   rotate on every 5th day of the month at 6:00 hr
##
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1

##
## overload protection: If you want to limit the number of messages per second
## allowed from error_logger, which is a good idea if you want to avoid a flood
## of messages when system is overloaded, you can set a limit.
## 100 is ejabberd's default.
log_rate_limit: 100

##
## watchdog_admins: Only useful for developers: if an ejabberd process
## consumes a lot of memory, send live notifications to these XMPP
## accounts.
##
## watchdog_admins:
##   - "bob.com"

###.  ===============
###'  NODE PARAMETERS

##
## net_ticktime: Specifies net_kernel tick time in seconds. This options must have
## identical value on all nodes, and in most cases shouldn't be changed at all from
## default value.
##
## net_ticktime: 60

###.  ================
###'  SERVED HOSTNAMES

##
## hosts: Domains served by ejabberd.
## You can define one or several, for example:
## hosts: 
##   - "example.net"
##   - "example.com"
##   - "example.org"
##
hosts:
  - "localhost"

##
## route_subdomains: Delegate subdomains to other XMPP servers.
## For example, if this ejabberd serves example.org and you want
## to allow communication with an XMPP server called im.example.org.
##
## route_subdomains: s2s

###.  ===============
###'  LISTENING PORTS

##
## listen: The ports ejabberd will listen on, which service each is handled
## by and what options to start it with.
##
listen: 
  - 
    port: 5222
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
    ## certificate, specify the full path to the
    ## file and uncomment these lines:
    ##
    ## certfile: "/path/to/ssl.pem"
    ## starttls: true
    ##
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ##
    ## starttls_required: true
    ##
    ## Custom OpenSSL options
    ##
    ## protocol_options:
    ##   - "no_sslv3"
    ##   - "no_tlsv1"
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
  - 
    port: 5269
    module: ejabberd_s2s_in
  ##
  ## ejabberd_service: Interact with external components (transports, ...)
  ##
  ## - 
  ##   port: 8888
  ##   module: ejabberd_service
  ##   access: all
  ##   shaper_rule: fast
  ##   ip: "127.0.0.1"
  ##   privilege_access: 
  ##      roster: "both"
  ##      message: "outgoing"
  ##      presence: "roster"
  ##   delegations:
  ##      "urn:xmpp:mam:1":
  ##        filtering: ["node"]
  ##      "http://jabber.org/protocol/pubsub":
  ##        filtering: []
  ##   hosts:
  ##     "icq.example.org":
  ##       password: "secret"
  ##     "sms.example.org":
  ##       password: "secret"

  ##
  ## ejabberd_stun: Handles STUN Binding requests
  ##
  ## - 
  ##   port: 3478
  ##   transport: udp
  ##   module: ejabberd_stun

  #!yaml

  ## To handle XML-RPC requests that provide admin credentials:
  ##
  # - 
  #   port: 4560
  #   module: ejabberd_xmlrpc
  #  access_commands: {}
  #- 
    port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/log": mod_log_http
     # OAuth support:
      "/oauth": ejabberd_oauth
      # ReST API:
      "/api": mod_http_api
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    captcha: true
commands_admin_access: configure
commands:

  - add_commands: 
    - connected_users 
#    - user
oauth_expire: 3600
oauth_access: all

###.  ==================
###'  S2S GLOBAL OPTIONS

##
## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
## Allowed values are: false optional required required_trusted
## You must specify a certificate file.
##
## s2s_use_starttls: optional

##
## s2s_certfile: Specify a certificate file.
##
## s2s_certfile: "/path/to/ssl.pem"

## Custom OpenSSL options
##
## s2s_protocol_options:
##   - "no_sslv3"
##   - "no_tlsv1"

##
## domain_certfile: Specify a different certificate for each served hostname.
##
## host_config:
##   "example.org":
##     domain_certfile: "/path/to/example_org.pem"
##   "example.com":
##     domain_certfile: "/path/to/example_com.pem"

##
## S2S whitelist or blacklist
##
## Default s2s policy for undefined hosts.
##
## s2s_access: s2s

##
## Outgoing S2S options
##
## Preferred address families (which to try first) and connect timeout
## in milliseconds.
##
## outgoing_s2s_families:
##   - ipv4
##   - ipv6
## outgoing_s2s_timeout: 10000

###.  ==============
###'  AUTHENTICATION

##
## auth_method: Method used to authenticate the users.
## The default method is the internal.
## If you want to use a different method,
## comment this line and enable the correct ones.
##
auth_method: internal

##
## Store the plain passwords or hashed for SCRAM:
## auth_password_format: plain
## auth_password_format: scram
##
## Define the FQDN if ejabberd doesn't detect it:
## fqdn: "server3.example.com"

##
## Authentication using external script
## Make sure the script is executable by ejabberd.
##
## auth_method: external
## extauth_program: "/path/to/authentication/script"

##
## Authentication using SQL
## Remember to setup a database in the next section.
##
## auth_method: sql

##
## Authentication using PAM
##
## auth_method: pam
## pam_service: "pamservicename"

##
## Authentication using LDAP
##
## auth_method: ldap
##
## List of LDAP servers:
## ldap_servers:
##   - "localhost"
##
## Encryption of connection to LDAP servers:
## ldap_encrypt: none
## ldap_encrypt: tls
##
## Port to connect to on LDAP servers:
## ldap_port: 389
## ldap_port: 636
##
## LDAP manager:
## ldap_rootdn: "dc=example,dc=com"
##
## Password of LDAP manager:
## ldap_password: "******"
##
## Search base of LDAP directory:
## ldap_base: "dc=example,dc=com"
##
## LDAP attribute that holds user ID:
## ldap_uids:
##   - "mail": "%u.example.org"
##
## LDAP filter:
## ldap_filter: "(objectClass=shadowAccount)"

##
## Anonymous login support:
##   auth_method: anonymous
##   anonymous_protocol: sasl_anon | login_anon | both
##   allow_multiple_connections: true | false
##
## host_config:
##   "public.example.org":
##     auth_method: anonymous
##     allow_multiple_connections: false
##     anonymous_protocol: sasl_anon
##
## To use both anonymous and internal authentication:
##
## host_config:
##   "public.example.org":
##     auth_method:
##       - internal
##       - anonymous

###.  ==============
###'  DATABASE SETUP

## ejabberd by default uses the internal Mnesia database,
## so you do not necessarily need this section.
## This section provides configuration examples in case
## you want to use other database backends.
## Please consult the ejabberd Guide for details on database creation.

##
## MySQL server:
##
## sql_type: mysql
## sql_server: "server"
## sql_database: "database"
## sql_username: "username"
## sql_password: "password"
##
## If you want to specify the port:
## sql_port: 1234

##
## PostgreSQL server:
##
## sql_type: pgsql
## sql_server: "server"
## sql_database: "database"
## sql_username: "username"
## sql_password: "password"
##
## If you want to specify the port:
## sql_port: 1234
##
## If you use PostgreSQL, have a large database, and need a
## faster but inexact replacement for "select count(*) from users"
##
## pgsql_users_number_estimate: true

##
## SQLite:
##
## sql_type: sqlite
## sql_database: "/path/to/database.db"

##
## ODBC compatible or MSSQL server:
##
## sql_type: odbc
## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"

##
## Number of connections to open to the database for each virtual host
##
## sql_pool_size: 10

##
## Interval to make a dummy SQL request to keep the connections to the
## database alive. Specify in seconds: for example 28800 means 8 hours
##
## sql_keepalive_interval: undefined

###.  ===============
###'  TRAFFIC SHAPERS

shaper:
  ##
  ## The "normal" shaper limits traffic speed to 1000 B/s
  ##
  normal: 1000

  ##
  ## The "fast" shaper limits traffic speed to 50000 B/s
  ##
  fast: 50000

##
## This option specifies the maximum number of elements in the queue
## of the FSM. Refer to the documentation for details.
##
max_fsm_queue: 1000

###.   ====================
###'   ACCESS CONTROL LISTS
acl:
  ##
  ## The 'admin' ACL grants administrative privileges to XMPP accounts.
  ## You can put here as many accounts as you want.
  ##
#   admin:
#    user:
#   - "admin" 
  ##     - "aleksey"
  ##     - "ermine.org"
  ##
  ## Blocked users
  ##
  ## blocked:
  ##   user:
  ##     - "baduser.org"
  ##     - "test"

  ## Local users: don't modify this.
  ##
  local: 
    user_regexp: ""

  ##
  ## More examples of ACLs
  ##
  ## jabberorg:
  ##   server:
  ##     - "jabber.org"
  ## aleksey:
  ##   user:
  ##     - "aleksey.ru"
  ## test:
  ##   user_regexp: "^test"
  ##   user_glob: "test*"

  ##
  ## Loopback network
  ##
  loopback:
    ip:
      - "127.0.0.0/8"

  ##
  ## Bad XMPP servers
  ##
  ## bad_servers:
  ##   server:
  ##     - "xmpp.zombie.org"
  ##     - "xmpp.spam.com"

##
## Define specific ACLs in a virtual host.
##
## host_config:
##   "localhost":
##     acl:
##       admin:
##         user:
##           - "bob-local"

###.  ============
###'  SHAPER RULES

shaper_rules:
  ## Maximum number of simultaneous sessions allowed for a single user:
  max_user_sessions: 10
  ## Maximum number of offline messages that users can have:
  max_user_offline_messages:
    - 5000: admin
    - 100
  ## For C2S connections, all users except admins use the "normal" shaper
  c2s_shaper:
    - none: admin
    - normal
  ## All S2S connections use the "fast" shaper
  s2s_shaper: fast

###.  ============
###'  ACCESS RULES
access_rules:
  ## This rule allows access only for local users:
  local:
    - allow: local
  ## Only non-blocked users can use c2s connections:
  c2s:
    - deny: blocked
    - allow
  ## Only admins can send announcement messages:
  announce:
    - allow: admin
  ## Only admins can use the configuration interface:
  configure: 
    - allow: admin
  ## Only accounts of the local ejabberd server can create rooms:
  muc_create: 
    - allow: local
  ## Only accounts on the local ejabberd server can create Pubsub nodes:
  pubsub_createnode: 
    - allow: local
  ## In-band registration allows registration of any possible username.
  ## To disable in-band registration, replace 'allow' with 'deny'.
  register: 
    - allow
  ## Only allow to register from localhost
  trusted_network: 
    - allow: loopback
  ## Do not establish S2S connections with bad servers
  ## s2s: 
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - allow

## ===============
## API PERMISSIONS
## ===============
##
## This section allows you to define who and using what method
## can execute commands offered by ejabberd.
##
## By default "console commands" section allow executing all commands
## issued using ejabberdctl command, and "admin access" section allows
## users in admin acl to  execute all commands except start and stop
## with any available access method (ejabberdctl, http-api, xmlrpc
## depending what is enabled on server).
##
## Remember to not remove "console commands" section when doing modifications
## or ejabberdctl will not be able to execute commands!
##
##
##  api_permissions:
##  "console commands":
##    from:
##      - ejabberd_ctl
##    who: all
##    what: "*"
##  "admin access":
##    who:
##      - admin
##      - oauth:
##        - scope: "ejabberd:admin"
##        - admin
##    what:
##      - "*"
##     - "!stop"
##      - "!start"

## By default the frequency of account registrations from the same IP
## is limited to 1 account every 10 minutes. To disable, specify: infinity
## registration_timeout: 600

##
## Define specific Access Rules in a virtual host.
##
## host_config:
##   "localhost":
##     access:
##       c2s:
##         - allow: admin
##         - deny
##       register:
##         - allow

###.  ================
###'  DEFAULT LANGUAGE

##
## language: Default language used for server messages.
##
language: "en"

##
## Set a different default language in a virtual host.
##
## host_config:
##   "localhost":
##     language: "ru"

###.  =======
###'  CAPTCHA

##
## Full path to a script that generates the image.
##
## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"

##
## Host for the URL and port where ejabberd listens for CAPTCHA requests.
##
## captcha_host: "example.org:5280"

##
## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
##
## captcha_limit: 5

###.  =======
###'  MODULES

##
## Modules enabled in all ejabberd virtual hosts.
##
modules: 
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
  ##mod_delegation: {} # for xep0356
  mod_disco: {}
  ## mod_echo: {}
  mod_irc: {}
  mod_http_bind: {}
  ## mod_http_fileserver:
  ##   docroot: "/var/www"
  ##   accesslog: "/var/log/ejabberd/access.log"
  mod_last: {}
  mod_muc: 
    ## host: "conference.@"
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
  ## mod_muc_log: {}
  ## mod_multicast: {}
  mod_offline: 
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  ## mod_pres_counter:
  ##   count: 5
  ##   interval: 60
  mod_privacy: {}
  mod_private: {}
  ## mod_proxy65: {}
  mod_pubsub: 
    access_createnode: pubsub_createnode
    ## reduces resource comsumption, but XEP incompliant
    ignore_pep_from_offline: true
    ## XEP compliant, but increases resource comsumption
    ## ignore_pep_from_offline: false
    last_item_cache: false
    plugins: 
      - "flat"
      - "hometree"
      - "pep" # pep requires mod_caps
  ## mod_register:
    ##
    ## Protect In-Band account registrations with CAPTCHA.
    ##
    ##   captcha_protected: true
    ##
    ## Set the minimum informational entropy for passwords.
    ##
    ##   password_strength: 32
    ##
    ## After successful registration, the user receives
    ## a message with this subject and body.
    ##
    ##   welcome_message:
    ##     subject: "Welcome!"
    ##     body: |-
    ##       Hi.
    ##       Welcome to this XMPP server.
    ##
    ## When a user registers, send a notification to
    ## these XMPP accounts.
    ##
    ##   registration_watchers:
    ##     - "admin1.org"
    ##
    ## Only clients in the server machine can register accounts
    ##
    ##   ip_access: trusted_network
    ##
    ## Local c2s or remote s2s users cannot register accounts
    ##
    ##   access_from: deny
    ##   access: register
  mod_roster: {}
  mod_shared_roster: {}
  mod_stats: {}
  mod_time: {}
  mod_vcard:
    search: false
  mod_version: {}

##
## Enable modules with custom options in a specific virtual host
##
## host_config:
##   "localhost":
##     modules:
##       mod_echo:
##         host: "mirror.localhost"

##
## Enable modules management via ejabberdctl for installation and
## uninstallation of public/private contributed modules
## (enabled by default)
##

allow_contrib_modules: true

###.
###'
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
#
#
acl:
  admin:
      user:
            - "admin": "localhost"

What operating system (version) are you using?

How did you install ejabberd (source, package, distribution)?

What did not work as expected? Are there error messages in the log? What was the unexpected behavior? What was the expected result?

该提问来源于开源项目:processone/ejabberd

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

52条回答

  • weixin_39900286 weixin_39900286 4月前

    Can you help me. REST API is not working

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Could you please run "ejabberdctl reload_config" and see if this helps? If not could you check error.log to see if it has "invalid option 'api_permission'"?

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    I got below error while I tired to execute the register cmd via xmlrpc with token

    
    A problem '{error,access_rules_unauthorized}' occurred executing the command register with arguments
    [{user,<>},{host,<>},{password,<>}]
    
    

    xmlrpc with password is working fine. But token is not working. Please advice me

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Please check ejabberd.log for coresponding line with ejabberd_access_permissions:handle_call

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Also please give me api_permissions from your current config file

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    I tried many changes in API. yesterday you mentioned to add extra permission.

    
    api_permissions:
      "console commands":
        from:
         - ejabberd_ctl
        who: all
        what: "*"
      "admin access":
        who:
         - admin
         - oauth:
            - scope: "ejabberd:admin"
            - admin
        what:
         - "*"
         - "!stop"
         - "!start"      
      "oauth sasl_auth":
        - who:
          - oauth:
            - scope: "sasl_auth"
            - user: "admin"
        - what:
          - "status"
          - "[tag:account]"
    
    

    This also tried

    
    "oauth get_roster":
        - who:
          - oauth:
            - scope: "get_roster"
            - admin
        - what:
          - "get_roster"
    
    
    `
    -
        port: 5280
        module: ejabberd_http
        request_handlers:
          "/websocket": ejabberd_http_ws
          "/log": mod_log_http
         # OAuth support:
          "/oauth": ejabberd_oauth
          # ReST API:
          "/api": mod_http_api
        ##  "/pub/archive": mod_http_fileserver
        web_admin: true
        http_bind: true
        ## register: true
        captcha: true
        commands_admin_access: configure
        commands:
         - add_commands: [status, register]      
        oauth_expire: 3600
        oauth_access: all
    

    `

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    this is the log file

    
    2017-02-28 06:24:14.510 [debug] <0.487.0>:process:363 [] matches []
    2017-02-28 06:24:14.510 [debug] <0.487.0>:process:246 got XML-RPC request: {call,register,[{struct,[{user,<>},{host,<>},{server,<>},{token,<>}]},{struct,[{user,<>},{host,<>},{password,<>}]}]}
    2017-02-28 06:24:14.510 [debug] <0.487.0>:extract_auth:263 AUTHLIST [{user,<>},{host,<>},{server,<>},{token,<>}]
    2017-02-28 06:24:14.512 [debug] <0.295.0>:handle_call:149 Command 'register' execution denied (CallerInfo=#{caller_module => ejabberd_xmlrpc,caller_server => <>,extra_permissions => [],ip => {112,133,236,202},oauth_scope => [<>,<>],usr => {<>,<>,<<>>}})
    2017-02-28 06:24:14.512 [warning] <0.487.0>:build_fault_response:421 Error -118
    A problem '{error,access_rules_unauthorized}' occurred executing the command register with arguments
    [{user,<>},{host,<>},{password,<>}]
    
    
    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    do you need full yml file ?

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    can you please help me to figure out this issue. I need to make REST API Call via webservice. tried lots of config mentioned . But it doesn't work in my case.

    If it is so particular to indent issue, could you please help me to resolve that issue. I will post yml if u need to look at all the config value

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Please try with this api_permisions:

    
    api_permissions:
      "console commands":
        from:
         - ejabberd_ctl
        who: all
        what: "*"
      "admin access":
        who:
         - admin
         - oauth:
            - scope: "ejabberd:admin"
            - admin
        what:
         - "*"
         - "!stop"
         - "!start"      
      "oauth sasl_auth":
        - who:
          - oauth:
            - scope: "sasl_auth"
            - admin
        - what:
          - "*"
    

    This will allow access to anyone from acl admin using oauth with token sasl_auth

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Will it work with token ?

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Can you run that command in "ejabberdctl debug" again? Your previous output did show that it was not parsed correctly (probably from that indentation problem) and default value was used. Let see if after that fix it's recognized ok.

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    response

    
    (ejabberd)1> ejabberd_access_permissions:show_current_definitions().
    [{<>,
      {[ejabberd_ctl],
       [{acl,all}],
       [user_sessions_info,user_resources,update_list,update,
        unregister,stop_kindly,stop_all_connections,stop,
        status_num_host,status_num,status_list_host,status_list,
        status,stats_host,stats,srg_user_del,srg_user_add,srg_list,
        srg_get_members,srg_get_info,srg_delete,srg_create,
        set_vcard2_multi|...]}},
     {<>,
      {[],
       [{acl,{acl,admin}},
        {oauth,[<>],[{acl,{acl,admin}}]}],
       [user_sessions_info,user_resources,update_list,update,
        unregister,stop_kindly,stop_all_connections,status_num_host,
        status_num,status_list_host,status_list,status,stats_host,
        stats,srg_user_del,srg_user_add,srg_list,srg_get_members,
        srg_get_info,srg_delete,srg_create,set_vcard2_multi|...]}},
     {<>,
      {[],[{access,none}],[]}}]
    
    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    So it's still uses default settings, not what you entered. Please make sure that there is no indentation before api_permissions:

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Can you please help me to fix indentation problem. attached my yml file. could you please correct it there

    yml.txt

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Ok, looks like you hit a bug in parser code, but you should be able to workaround it by replacing line with "- user: "admin"" with "- admin"

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    now I got response "400 Bad Request"

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    this is the latest changes in the api permission

    
    "oauth get_roster":
        - who:
          - oauth:
            - scope: "get_roster"
            - admin
        - what:
          - "get_roster"
    
    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Can you check in ejabberd.log what is generated after you execute command?

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    ``` 2017-02-27 14:22:02.564 [info] <0.476.0>:log:533 API call unregister [{<<"host">>,<<"localhost">>},{<<"user">>,<<"sibi">>}] from 112.133.236.185:62395 2017-02-27 14:22:02.565 [debug] <0.476.0>:process:192 Bad Request: {noproc,{gen_server,call,[ejabberd_access_permissions,{can_access,unregister,#{caller_module => mod_http_api,caller_server => <<"localhost">>,ip => {112,133,236,185},oauth_scope => [<<"get_roster">>,<<"sasl_auth">>],usr => {<<"admin">>,<<"localhost">>,<<>>}}}]}} [{gen_server,call,2,[{file,"gen_server.erl"},{line,182}]},{ejabberd_commands,execute_command2,4,[{file,"src/ejabberd_commands.erl"},{line,471}]},{mod_http_api,handle2,4,[{file,"src/mod_http_api.erl"},{line,327}]},{mod_http_api,handle,4,[{file,"src/mod_http_api.erl"},{line,285}]},{mod_http_api,perform_call,4,[{file,"src/mod_http_api.erl"},{line,230}]},{mod_http_api,process,2,[{file,"src/mod_http_api.erl"},{line,183}]},{ejabberd_http,process,5,[{file,"src/ejabberd_http.erl"},{line,373}]},{ejabberd_http,process_request,1,[{file,"src/ejabberd_http.erl"},{line,464}]}]

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Hm, looks like one of command that i told you to run in "ejabberdctl debug" did close one of processes, you could try executing inside shell "ejabberd_access_permissions:start_link()." or try to restarting server.

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    now got the previous error {"status":"error","code":32,"message":"AccessRules: Account does not have the right to perform the operation."}

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    And ejabberd.log show what?

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前
    
    2017-02-27 14:33:30.583 [debug] <0.455.0>:process_header:291 (#Port<0.18555>) http query: 'POST' <>
    2017-02-27 14:33:30.583 [debug] <0.455.0>:extract_path_query:407 client data: <>
    2017-02-27 14:33:30.583 [debug] <0.455.0>:process:363 [<>,<>] matches [<>]
    2017-02-27 14:33:30.584 [info] <0.455.0>:log:533 API call unregister [{<>,<>},{<>,<>}] from 112.133.236.185:8389
    2017-02-27 14:33:30.584 [debug] <0.287.0>:handle_call:149 Command 'unregister' execution denied (CallerInfo=#{caller_module => mod_http_api,caller_server => <>,ip => {112,133,236,185},oauth_scope => [<>,<>],usr => {<>,<>,<<>>
    
    
    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    This show that now you are executing command "unregister" but that rule that was added allows only "get_roster", if you want to allow access to more commands, you must list them in "what:" section:

    
      "oauth get_roster":
        who:
          - oauth:
            - scope: "get_roster"
            - user: "admin"
        what:
          - "get_roster"
          - "unregister"
    

    etc.

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    but get_roster is also not working. thats why I tried unregister

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Is there any ejabbered library in php for rest api .

    It would be very helpful, if you can add more examples based on rest API and their permission in the ejabbered doc

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    No you need to have

    
      -
        port: 5280
    

    like you have in handlers for others port above, you instead have "# -"

    点赞 评论 复制链接分享
  • weixin_39782500 weixin_39782500 4月前

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

    mrniceguyzero.com Domain thezeroworld.com has exceeded the max emails per hour (7/7 (100%)) allowed. Message will be reattempted later

    ------- This is a copy of the message, including all the headers. ------ Received: from o3.sgmail.github.com ([192.254.112.98]:33723) by node87.certushost.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.88) (envelope-from ) id 1ciQ0C-0004Wz-34 for zero.com; Mon, 27 Feb 2017 13:26:28 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=gUU959JM2FpwpDQBQ80HzRI8D9g=; b=VJJUF01dplJoBU+4 rm0ECb7emVEepBV/Z1Wr+ZqLZ26+T5t9kYlAYHqsgu3fRBBoJrjgoCnmLEsWLDKf ExYvRFM+AXqtfCdEy8YUz3uwRVO4GWiuJOTWoqSUrjcsCGus6Rt7pbjVAQTv7pqe qNX6G/enyzDsGHHhUv9mdzrUh0E= Received: by filter0338p1las1.sendgrid.net with SMTP id filter0338p1las1-24297-58B46F16-8D 2017-02-27 18:25:26.962849264 +0000 UTC Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2b-ext-cp1-prd.iad.github.net [192.30.253.17]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id 7s1gkuf8Qjumk-FqHz9UMg for ; Mon, 27 Feb 2017 18:25:26.716 +0000 (UTC) Date: Mon, 27 Feb 2017 10:25:26 -0800 From: Paweł Chmielowski Reply-To: processone/ejabberd To: processone/ejabberd Cc: Subscribed Message-ID: In-Reply-To: References: Subject: Re: [processone/ejabberd] AccessRules: Account does not have the right to perform the operation (#1568) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: prefiks X-GitHub-Recipient: zeropopular X-GitHub-Reason: subscribed List-ID: processone/ejabberd List-Archive: https://github.com/processone/ejabberd List-Post: List-Unsubscribe: , https://github.com/notifications/unsubscribe/AJGvXOFKJwfrgS3qmwGmPxU-oQRaCejNks5rgxUWgaJpZM4MNLcS X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: zero.com X-SG-EID: rpikuZA24eiIeOyW4lkLu3QfRibsk6PIQjn8Ws0nyrGwdbnyegVtyzep89vCSLgN/Q3djhNxRltNfx AXne3hUhLaRz+89ZmSWkzLJBvLFf6J+fXLVAT/FFQYQET8eH1EfTMraMplVs78xI9hz1vfNJZwdyGD nK7U5PPOz4uXemWMl3DzyQZhjFOLn/Efae9+B7Qvjl4pwfXlshH0H7E58DAhDjLDW8byFnDT6ARF9e M=

    ----==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit

    No you need to have

    
      -
        port: 5280
    

    like you have in handlers for others port above, you instead have "# -"

    -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/processone/ejabberd/issues/1568#issuecomment-282805592 ----==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

    No you need to have

      -
        port: 5280
    

    like you have in handlers for others port above, you instead have "# -"


    You are receiving this because you are subscribed to this thread.
    Reply to this email directly, view it on GitHub, or mute the thread.

    ----==_mimepart_58b46f167f1dd_25b33fe1064e5c381177c8--

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    now I can access /admin. but when I run the script, got same error

    {"status":"error","code":32,"message":"AccessRules: Account does not have the right to perform the operation."}

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    First, you probably don't want to have that "console command" commented, this will block access to commands executed with ejabberdctl. Second, do you have correct indentations in "oauth get_roster" section? it should look simmilar to what you have in "admin access" section.

    To help you more i would need to have log entries that ejabberd generates when commands are executed (you may need to bump loglevel to 5 to see them), look for "Command get_roster execution denied...." in ejabberd.log

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Hello, I got below error log from log file

    
    2017-02-27 11:28:32.668 [debug] <0.476.0>:process_header:291 (#Port<0.18437>) http query: 'POST' <>
    2017-02-27 11:28:32.668 [debug] <0.476.0>:extract_path_query:407 client data: <>
    2017-02-27 11:28:32.668 [debug] <0.476.0>:process:363 [<>,<>] matches [<>]
    2017-02-27 11:28:32.669 [info] <0.476.0>:log:533 API call get_roster [{<>,<>},{<>,<>}] from 112.133.229.124:2597
    2017-02-27 11:28:32.669 [debug] <0.290.0>:handle_call:149 Command 'get_roster' execution denied (CallerInfo=#{caller_module => mod_http_api,caller_server => <>,ip => {112,133,229,124},oauth_scope => [<>,<>],usr => {<>,<>,<<>>}})
    

    I have provided correct indentation

    
      api_permissions:
        "console commands":
          from:
            - ejabberd_ctl
          who: all
          what: "*"
      "admin access":
        who:
          - admin
          - oauth:
            - scope: "ejabberd:admin"
            - admin
        what:
          - "*"
          - "!stop"
          - "!start"
      "oauth get_roster":
        - who:
          - oauth:
            - scope: "get_roster+sasl_auth"
            - user: "admin"
        - what:
          - get_roster
    
    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Ok, could you please try changing scope to just "get_roster" (from "get_roster+sasl_auth") and see if it works?

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Still Got the same error

    
    2017-02-27 11:54:32.461 [debug] <0.461.0>:extract_path_query:407 client data: <>
    2017-02-27 11:54:32.461 [debug] <0.461.0>:process:363 [<>,<>] matches [<>]
    2017-02-27 11:54:32.461 [info] <0.461.0>:log:533 API call get_roster [{<>,<>},{<>,<>}] from 162.214.3.52:53796
    2017-02-27 11:54:32.462 [debug] <0.287.0>:handle_call:149 Command 'get_roster' execution denied (CallerInfo=#{caller_module => mod_http_api,caller_server => <>,ip => {162,214,3,52},oauth_scope => [<>,<>],usr => {<>,<>,<<>>}})
    
    
    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Also, I can't access /admin portal After enabling api_permissions.

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Ah one more this i missed, please replace this:

    
      - what:
        - get_roster
    

    with this:

    
      - what:
        - "get_roster"
    

    Also i don't think enabling api_permissions should change if you can access /admin, but i will check that.

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    still getting same error. mod_admin_extra: {} is already enabled. Now I can't access admin portal too :(

    when I created token , provided scope "get_roster+sasl_auth". but now I tried to generate token only with get_roster, got invalid_scope error.

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    It would help if you could execute "ejabberdctl debug" and after you get to prompt execute this: "ejabberd_access_permissions:show_current_definitions()" and copy paste what this generates.

    To exit it just ctrl+c ctrl+c

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    I can access /admin without problems when i have api_permissions: in my config, this definitelly doesn't affect it, maybe some other change in config file did that? This function is offered by ejabberd_web_admin not mod_admin_extra

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    when I run the cmd "ejabberdctl debug", got below response only

    
    To bypass permanently this warning, add to ejabberdctl.cfg the line:
      EJABBERD_BYPASS_WARNINGS=true
    Press return to continue
    
    
    Erlang/OTP 17 [erts-6.1] [source] [64-bit] [smp:8:8] [async-threads:10] [kernel-poll:true]
    
    Eshell V6.1  (abort with ^G)
    (ejabberd)1> ejabberd_access_permissions:show_current_definitions() 
    (ejabberd)1>
    
    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Ah sorry please add "." at end of (if you still have that shell opened just type "." and enter, if not "ejabberd_access_permissions:show_current_definitions()."

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    can u pls check yml file. I need to create user, unregister user, add user to group from web server for an app.

    
    ###
    ###'              ejabberd configuration file
    ###
    ###
    
    ### The parameters used in this configuration file are explained in more detail
    ### in the ejabberd Installation and Operation Guide.
    ### Please consult the Guide in case of doubts, it is included with
    ### your copy of ejabberd, and is also available online at
    ### http://www.process-one.net/en/ejabberd/docs/
    
    ### The configuration file is written in YAML.
    ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
    ### However, ejabberd treats different literals as different types:
    ###
    ### - unquoted or single-quoted strings. They are called "atoms".
    ###   Example: dog, 'Jupiter', '3.14159', YELLOW
    ###
    ### - numeric literals. Example: 3, -45.0, .0
    ###
    ### - quoted or folded strings.
    ###   Examples of quoted string: "Lizzard", "orange".
    ###   Example of folded string:
    ###   > Art thou not Romeo,
    ###     and a Montague?
    
    ###.  =======
    ###'  LOGGING
    
    ##
    ## loglevel: Verbosity of log files generated by ejabberd.
    ## 0: No ejabberd log at all (not recommended)
    ## 1: Critical
    ## 2: Error
    ## 3: Warning
    ## 4: Info
    ## 5: Debug
    ##
    loglevel: 5
    
    ##
    ## rotation: Describe how to rotate logs. Either size and/or date can trigger
    ## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
    ## does not disable rotation, it instead rotates the file and keeps no previous
    ## versions around. Setting size to X rotate log when it reaches X bytes.
    ## To disable rotation set the size to 0 and the date to ""
    ## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
    ## Some examples:
    ##  $D0     rotate every night at midnight
    ##  $D23    rotate every day at 23:00 hr
    ##  $W0D23  rotate every week on Sunday at 23:00 hr
    ##  $W5D16  rotate every week on Friday at 16:00 hr
    ##  $M1D0   rotate on the first day of every month at midnight
    ##  $M5D6   rotate on every 5th day of the month at 6:00 hr
    ##
    log_rotate_size: 10485760
    log_rotate_date: ""
    log_rotate_count: 1
    
    ##
    ## overload protection: If you want to limit the number of messages per second
    ## allowed from error_logger, which is a good idea if you want to avoid a flood
    ## of messages when system is overloaded, you can set a limit.
    ## 100 is ejabberd's default.
    log_rate_limit: 100
    
    ##
    ## watchdog_admins: Only useful for developers: if an ejabberd process
    ## consumes a lot of memory, send live notifications to these XMPP
    ## accounts.
    ##
    ## watchdog_admins:
    ##   - "bob.com"
    
    ###.  ===============
    ###'  NODE PARAMETERS
    
    ##
    ## net_ticktime: Specifies net_kernel tick time in seconds. This options must have
    ## identical value on all nodes, and in most cases shouldn't be changed at all from
    ## default value.
    ##
    ## net_ticktime: 60
    
    ###.  ================
    ###'  SERVED HOSTNAMES
    
    ##
    ## hosts: Domains served by ejabberd.
    ## You can define one or several, for example:
    ## hosts:
    ##   - "example.net"
    ##   - "example.com"
    ##   - "example.org"
    ##
    hosts:
      - "localhost"
    
    ##
    ## route_subdomains: Delegate subdomains to other XMPP servers.
    ## For example, if this ejabberd serves example.org and you want
    ## to allow communication with an XMPP server called im.example.org.
    ##
    ## route_subdomains: s2s
    
    ###.  ===============
    ###'  LISTENING PORTS
    
    ##
    ## listen: The ports ejabberd will listen on, which service each is handled
    ## by and what options to start it with.
    ##
    listen:
      -
        port: 5222
        module: ejabberd_c2s
        ##
        ## If TLS is compiled in and you installed a SSL
        ## certificate, specify the full path to the
        ## file and uncomment these lines:
        ##
        ## certfile: "/path/to/ssl.pem"
        ## starttls: true
        ##
        ## To enforce TLS encryption for client connections,
        ## use this instead of the "starttls" option:
        ##
        ## starttls_required: true
        ##
        ## Custom OpenSSL options
        ##
        ## protocol_options:
        ##   - "no_sslv3"
        ##   - "no_tlsv1"
        max_stanza_size: 65536
        shaper: c2s_shaper
        access: c2s
      -
        port: 5269
        module: ejabberd_s2s_in
      ##
      ## ejabberd_service: Interact with external components (transports, ...)
      ##
      ## -
      ##   port: 8888
      ##   module: ejabberd_service
      ##   access: all
      ##   shaper_rule: fast
      ##   ip: "127.0.0.1"
      ##   privilege_access:
      ##      roster: "both"
      ##      message: "outgoing"
      ##      presence: "roster"
      ##   delegations:
      ##      "urn:xmpp:mam:1":
      ##        filtering: ["node"]
      ##      "http://jabber.org/protocol/pubsub":
      ##        filtering: []
      ##   hosts:
      ##     "icq.example.org":
      ##       password: "secret"
      ##     "sms.example.org":
      ##       password: "secret"
    
      ##
      ## ejabberd_stun: Handles STUN Binding requests
      ##
      ## -
      ##   port: 3478
      ##   transport: udp
      ##   module: ejabberd_stun
    
      #!yaml
    
      ## To handle XML-RPC requests that provide admin credentials:
      ##
      # -
      #   port: 4560
      #   module: ejabberd_xmlrpc
      #  access_commands: {}
      #-
        port: 5280
        module: ejabberd_http
        request_handlers:
          "/websocket": ejabberd_http_ws
          "/log": mod_log_http
         # OAuth support:
          "/oauth": ejabberd_oauth
          # ReST API:
          "/api": mod_http_api
        ##  "/pub/archive": mod_http_fileserver
        web_admin: true
        http_bind: true
        ## register: true
        captcha: true
        commands_admin_access: configure
        commands:
          - add_commands:
            - user
        oauth_expire: 3600
        oauth_access: all
    
    ###.  ==================
    ###'  S2S GLOBAL OPTIONS
    
    ##
    ## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
    ## Allowed values are: false optional required required_trusted
    ## You must specify a certificate file.
    ##
    ## s2s_use_starttls: optional
    
    ##
    ## s2s_certfile: Specify a certificate file.
    ##
    ## s2s_certfile: "/path/to/ssl.pem"
    
    ## Custom OpenSSL options
    ##
    ## s2s_protocol_options:
    ##   - "no_sslv3"
    ##   - "no_tlsv1"
    
    ##
    ## domain_certfile: Specify a different certificate for each served hostname.
    ##
    ## host_config:
    ##   "example.org":
    ##     domain_certfile: "/path/to/example_org.pem"
    ##   "example.com":
    ##     domain_certfile: "/path/to/example_com.pem"
    
    ##
    ## S2S whitelist or blacklist
    ##
    ## Default s2s policy for undefined hosts.
    ##
    ## s2s_access: s2s
    
    ##
    ## Outgoing S2S options
    ##
    ## Preferred address families (which to try first) and connect timeout
    ## in milliseconds.
    ##
    ## outgoing_s2s_families:
    ##   - ipv4
    ##   - ipv6
    ## outgoing_s2s_timeout: 10000
    
    ###.  ==============
    ###'  AUTHENTICATION
    
    ##
    ## auth_method: Method used to authenticate the users.
    ## The default method is the internal.
    ## If you want to use a different method,
    ## comment this line and enable the correct ones.
    ##
    auth_method: internal
    
    ##
    ## Store the plain passwords or hashed for SCRAM:
    ## auth_password_format: plain
    ## auth_password_format: scram
    ##
    ## Define the FQDN if ejabberd doesn't detect it:
    ## fqdn: "server3.example.com"
    
    ##
    ## Authentication using external script
    ## Make sure the script is executable by ejabberd.
    ##
    ## auth_method: external
    ## extauth_program: "/path/to/authentication/script"
    
    ##
    ## Authentication using SQL
    ## Remember to setup a database in the next section.
    ##
    ## auth_method: sql
    
    ##
    ## Authentication using PAM
    ##
    ## auth_method: pam
    ## pam_service: "pamservicename"
    
    ##
    ## Authentication using LDAP
    ##
    ## auth_method: ldap
    ##
    ## List of LDAP servers:
    ## ldap_servers:
    ##   - "localhost"
    ##
    ## Encryption of connection to LDAP servers:
    ## ldap_encrypt: none
    ## ldap_encrypt: tls
    ##
    ## Port to connect to on LDAP servers:
    ## ldap_port: 389
    ## ldap_port: 636
    ##
    ## LDAP manager:
    ## ldap_rootdn: "dc=example,dc=com"
    ##
    ## Password of LDAP manager:
    ## ldap_password: "******"
    ##
    ## Search base of LDAP directory:
    ## ldap_base: "dc=example,dc=com"
    ##
    ## LDAP attribute that holds user ID:
    ## ldap_uids:
    ##   - "mail": "%u.example.org"
    ##
    ## LDAP filter:
    ## ldap_filter: "(objectClass=shadowAccount)"
    
    ##
    ## Anonymous login support:
    ##   auth_method: anonymous
    ##   anonymous_protocol: sasl_anon | login_anon | both
    ##   allow_multiple_connections: true | false
    ##
    ## host_config:
    ##   "public.example.org":
    ##     auth_method: anonymous
    ##     allow_multiple_connections: false
    ##     anonymous_protocol: sasl_anon
    ##
    ## To use both anonymous and internal authentication:
    ##
    ## host_config:
    ##   "public.example.org":
    ##     auth_method:
    ##       - internal
    ##       - anonymous
    
    ###.  ==============
    ###'  DATABASE SETUP
    
    ## ejabberd by default uses the internal Mnesia database,
    ## so you do not necessarily need this section.
    ## This section provides configuration examples in case
    ## you want to use other database backends.
    ## Please consult the ejabberd Guide for details on database creation.
    
    ##
    ## MySQL server:
    ##
    ## sql_type: mysql
    ## sql_server: "server"
    ## sql_database: "database"
    ## sql_username: "username"
    ## sql_password: "password"
    ##
    ## If you want to specify the port:
    ## sql_port: 1234
    
    ##
    ## PostgreSQL server:
    ##
    ## sql_type: pgsql
    ## sql_server: "server"
    ## sql_database: "database"
    ## sql_username: "username"
    ## sql_password: "password"
    ##
    ## If you want to specify the port:
    ## sql_port: 1234
    ##
    ## If you use PostgreSQL, have a large database, and need a
    ## faster but inexact replacement for "select count(*) from users"
    ##
    ## pgsql_users_number_estimate: true
    
    ##
    ## SQLite:
    ##
    ## sql_type: sqlite
    ## sql_database: "/path/to/database.db"
    
    ##
    ## ODBC compatible or MSSQL server:
    ##
    ## sql_type: odbc
    ## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
    
    ##
    ## Number of connections to open to the database for each virtual host
    ##
    ## sql_pool_size: 10
    
    ##
    ## Interval to make a dummy SQL request to keep the connections to the
    ## database alive. Specify in seconds: for example 28800 means 8 hours
    ##
    ## sql_keepalive_interval: undefined
    
    ###.  ===============
    ###'  TRAFFIC SHAPERS
    
    shaper:
      ##
      ## The "normal" shaper limits traffic speed to 1000 B/s
      ##
      normal: 1000
    
      ##
      ## The "fast" shaper limits traffic speed to 50000 B/s
      ##
      fast: 50000
    
    ##
    ## This option specifies the maximum number of elements in the queue
    ## of the FSM. Refer to the documentation for details.
    ##
    max_fsm_queue: 1000
    
    ###.   ====================
    ###'   ACCESS CONTROL LISTS
    acl:
      ##
      ## The 'admin' ACL grants administrative privileges to XMPP accounts.
      ## You can put here as many accounts as you want.
      ##
    #   admin:
    #    user:
    #   - "admin"
      ##     - "aleksey"
      ##     - "ermine.org"
      ##
      ## Blocked users
      ##
      ## blocked:
      ##   user:
      ##     - "baduser.org"
      ##     - "test"
    
      ## Local users: don't modify this.
      ##
      local:
        user_regexp: ""
    
      ##
      ## More examples of ACLs
      ##
      ## jabberorg:
      ##   server:
      ##     - "jabber.org"
      ## aleksey:
      ##   user:
      ##     - "aleksey.ru"
      ## test:
      ##   user_regexp: "^test"
      ##   user_glob: "test*"
    
      ##
      ## Loopback network
      ##
      loopback:
        ip:
          - "127.0.0.0/8"
    
      ##
      ## Bad XMPP servers
      ##
      ## bad_servers:
      ##   server:
      ##     - "xmpp.zombie.org"
      ##     - "xmpp.spam.com"
    
    ##
    ## Define specific ACLs in a virtual host.
    ##
    ## host_config:
    ##   "localhost":
    ##     acl:
    ##       admin:
    ##         user:
    ##           - "bob-local"
    
    ###.  ============
    ###'  SHAPER RULES
    
    shaper_rules:
      ## Maximum number of simultaneous sessions allowed for a single user:
      max_user_sessions: 10
      ## Maximum number of offline messages that users can have:
      max_user_offline_messages:
        - 5000: admin
        - 100
      ## For C2S connections, all users except admins use the "normal" shaper
      c2s_shaper:
        - none: admin
        - normal
      ## All S2S connections use the "fast" shaper
      s2s_shaper: fast
    
    ###.  ============
    ###'  ACCESS RULES
    access_rules:
      ## This rule allows access only for local users:
      local:
        - allow: local
      ## Only non-blocked users can use c2s connections:
      c2s:
        - deny: blocked
        - allow
      ## Only admins can send announcement messages:
      announce:
        - allow: admin
      ## Only admins can use the configuration interface:
      configure:
        - allow: admin
      ## Only accounts of the local ejabberd server can create rooms:
      muc_create:
        - allow: local
      ## Only accounts on the local ejabberd server can create Pubsub nodes:
      pubsub_createnode:
        - allow: local
      ## In-band registration allows registration of any possible username.
      ## To disable in-band registration, replace 'allow' with 'deny'.
      register:
        - allow
      ## Only allow to register from localhost
      trusted_network:
        - allow: loopback
      ## Do not establish S2S connections with bad servers
      ## s2s:
      ##   - deny:
      ##     - ip: "XXX.XXX.XXX.XXX/32"
      ##   - deny:
      ##     - ip: "XXX.XXX.XXX.XXX/32"
      ##   - allow
    
    ## ===============
    ## API PERMISSIONS
    ## ===============
    ##
    ## This section allows you to define who and using what method
    ## can execute commands offered by ejabberd.
    ##
    ## By default "console commands" section allow executing all commands
    ## issued using ejabberdctl command, and "admin access" section allows
    ## users in admin acl to  execute all commands except start and stop
    ## with any available access method (ejabberdctl, http-api, xmlrpc
    ## depending what is enabled on server).
    ##
    ## Remember to not remove "console commands" section when doing modifications
    ## or ejabberdctl will not be able to execute commands!
    ##
    ##
      api_permissions:
        "console commands":
          from:
            - ejabberd_ctl
          who: all
          what: "*"
      "admin access":
        who:
          - admin
          - oauth:
            - scope: "ejabberd:admin"
            - admin
        what:
          - "*"
          - "!stop"
          - "!start"
      "oauth get_roster":
        - who:
          - oauth:
            - scope: "get_roster"
            - user: "admin"
        - what:
          - "get_roster"
    
    ## By default the frequency of account registrations from the same IP
    ## is limited to 1 account every 10 minutes. To disable, specify: infinity
    ## registration_timeout: 600
    
    ##
    ## Define specific Access Rules in a virtual host.
    ##
    ## host_config:
    ##   "localhost":
    ##     access:
    ##       c2s:
    ##         - allow: admin
    ##         - deny
    ##       register:
    ##         - allow
    
    ###.  ================
    ###'  DEFAULT LANGUAGE
    
    ##
    ## language: Default language used for server messages.
    ##
    language: "en"
    
    ##
    ## Set a different default language in a virtual host.
    ##
    ## host_config:
    ##   "localhost":
    ##     language: "ru"
    
    ###.  =======
    ###'  CAPTCHA
    
    ##
    ## Full path to a script that generates the image.
    ##
    ## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"
    
    ##
    ## Host for the URL and port where ejabberd listens for CAPTCHA requests.
    ##
    ## captcha_host: "example.org:5280"
    
    ##
    ## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
    ##
    ## captcha_limit: 5
    
    ###.  =======
    ###'  MODULES
    
    ##
    ## Modules enabled in all ejabberd virtual hosts.
    ##
    modules:
      mod_adhoc: {}
      mod_admin_extra: {}
      mod_announce: # recommends mod_adhoc
        access: announce
      mod_blocking: {} # requires mod_privacy
      mod_caps: {}
      mod_carboncopy: {}
      mod_client_state: {}
      mod_configure: {} # requires mod_adhoc
      ##mod_delegation: {} # for xep0356
      mod_disco: {}
      ## mod_echo: {}
      mod_irc: {}
      mod_http_bind: {}
      ## mod_http_fileserver:
      ##   docroot: "/var/www"
      ##   accesslog: "/var/log/ejabberd/access.log"
      mod_last: {}
      mod_muc:
        ## host: "conference.@"
        access:
          - allow
        access_admin:
          - allow: admin
        access_create: muc_create
        access_persistent: muc_create
      ## mod_muc_log: {}
      ## mod_multicast: {}
      mod_offline:
        access_max_user_messages: max_user_offline_messages
      mod_ping: {}
      ## mod_pres_counter:
      ##   count: 5
      ##   interval: 60
      mod_privacy: {}
      mod_private: {}
      ## mod_proxy65: {}
      mod_pubsub:
        access_createnode: pubsub_createnode
        ## reduces resource comsumption, but XEP incompliant
        ignore_pep_from_offline: true
        ## XEP compliant, but increases resource comsumption
        ## ignore_pep_from_offline: false
        last_item_cache: false
        plugins:
          - "flat"
          - "hometree"
          - "pep" # pep requires mod_caps
      ## mod_register:
        ##
        ## Protect In-Band account registrations with CAPTCHA.
        ##
        ##   captcha_protected: true
        ##
        ## Set the minimum informational entropy for passwords.
        ##
        ##   password_strength: 32
        ##
        ## After successful registration, the user receives
        ## a message with this subject and body.
        ##
        ##   welcome_message:
        ##     subject: "Welcome!"
        ##     body: |-
        ##       Hi.
        ##       Welcome to this XMPP server.
        ##
        ## When a user registers, send a notification to
        ## these XMPP accounts.
        ##
        ##   registration_watchers:
        ##     - "admin1.org"
        ##
        ## Only clients in the server machine can register accounts
        ##
        ##   ip_access: trusted_network
        ##
        ## Local c2s or remote s2s users cannot register accounts
        ##
        ##   access_from: deny
        ##   access: register
      mod_roster: {}
      mod_shared_roster: {}
      mod_stats: {}
      mod_time: {}
      mod_vcard:
        search: false
      mod_version: {}
    
    ##
    ## Enable modules with custom options in a specific virtual host
    ##
    ## host_config:
    ##   "localhost":
    ##     modules:
    ##       mod_echo:
    ##         host: "mirror.localhost"
    
    ##
    ## Enable modules management via ejabberdctl for installation and
    ## uninstallation of public/private contributed modules
    ## (enabled by default)
    ##
    
    allow_contrib_modules: true
    
    ###.
    ###'
    ### Local Variables:
    ### mode: yaml
    ### End:
    ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
    #
    #
    acl:
      admin:
          user:
                - "admin": "localhost"
    
    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    okay. now I got the response when I execute that cmd

    
    (ejabberd)1> ejabberd_access_permissions:show_current_definitions().
    [{<>,
      {[ejabberd_ctl],
       [{acl,all}],
       [user_sessions_info,user_resources,update_list,update,
        unregister,stop_kindly,stop_all_connections,stop,
        status_num_host,status_num,status_list_host,status_list,
        status,stats_host,stats,srg_user_del,srg_user_add,srg_list,
        srg_get_members,srg_get_info,srg_delete,srg_create,
        set_vcard2_multi|...]}},
     {<>,
      {[],
       [{acl,{acl,admin}},
        {oauth,[<>],[{acl,{acl,admin}}]}],
       [user_sessions_info,user_resources,update_list,update,
        unregister,stop_kindly,stop_all_connections,status_num_host,
        status_num,status_list_host,status_list,status,stats_host,
        stats,srg_user_del,srg_user_add,srg_list,srg_get_members,
        srg_get_info,srg_delete,srg_create,set_vcard2_multi|...]}},
     {<>,
      {[],[{access,configure}],[connected_users]}}]
    
    
    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    So for one you have this fragment in middle that did disable listener for 5280 (and /admin access with it):

    
      #!yaml
    
      ## To handle XML-RPC requests that provide admin credentials:
      ##
      # -
      #   port: 4560
      #   module: ejabberd_xmlrpc
      #  access_commands: {}
      #-
    

    remove it and make sure there is - in line before port: 5280

    Second your api_permission has wrong indent, it must be at start of line no spaces before it, you need to indent that whole block that way

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    do you mean to remove xmlrpc section from yml

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Hello,

    Default permissions definitions allows only executing of commands for user from group admin created with scope "ejabberd:admin"

    This can be changed by adding (or uncommenting fragment which is in your config already) api_permissions option, by default it looks like this:

    
    api_permissions:
      "console commands":
        from:
          - ejabberd_ctl
        who: all
        what: "*"
      "admin access":
        who:
          - admin
          - oauth:
            - scope: "ejabberd:admin"
            - admin
        what:
          - "*"
         - "!stop"
         - "!start"
    

    You could add extra rule to api_permission: just for your command like that:

    
      "oauth get_roster":
        - who
          - oauth:
            - scope: "<your token scope>"
            - user: "john.com"
            - user: "marry.com"
        - what:
          - get_roster
    </your>

    Or have your token generated in such way that it matches deafult rule (user from admin group and with token ejabberd:admin, but this will allow to executing almost all commands)

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    But in my yml file api_permissions are disabled . Do you mean to enable it as follows :

    api_permissions: "console commands": from: - ejabberd_ctl who: all what: "" "admin access": who: - admin - oauth: - scope: "ejabberd:admin" - admin "oauth get_roster": - who - oauth: - scope: "" - user: "john.com" - user: "marry.com" - what: - get_roster what: - "" - "!stop" - "!start" Do you mean to ena

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Please let me know the below one is correct

    
      api_permissions:
      "console commands":
        from:
          - ejabberd_ctl
        who: all
        what: "*"
      "admin access":
        who:
          - admin
          - oauth:
            - scope: "ejabberd:admin"
            - admin
    
        what:
          - "*"
         - "!stop"
          - "!start"
    
      "oauth get_roster":
      - who
        - oauth:
          - scope: "<your token scope>"
          - user: "john.com"
          - user: "marry.com"
      - what:
        - get_roster  
    
    </your>
    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Please help me. I am straggling to fix this issue.

    When I generated token, I used the scope "user_get_roster+sasl_auth"

    点赞 评论 复制链接分享
  • weixin_39778393 weixin_39778393 4月前

    Yeah in your config that part is commented out, it just shows what default value is. So you need to uncomment it.

    You also need to modify this part:

    
        - oauth:
          - scope: "<your token scope>"
          - user: "john.com"
          - user: "marry.com"
    </your>

    To enter correct scope (user_get_roster+sasl_auth in your case i guess) and also change those "- user" lines to use correct user name that you used to generate token (this declarations says that user john and marry can call command get_roster when they use oauth authentication with scope "" so you need to adapt that to what you are really using).

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    Okay. I will check that and get back to you soon.

    Can I use rest api using mod_xmlrpc. Let me know is it deprecated soon .

    点赞 评论 复制链接分享
  • weixin_39900286 weixin_39900286 4月前

    still I got the same error . Could you please help me

    
     api_permissions:
    ##  "console commands":
    ##    from:
    ##      - ejabberd_ctl
    ##    who: all
    ##    what: "*"
      "admin access":
        who:
          - admin
          - oauth:
            - scope: "ejabberd:admin"
            - admin
    
        what:
          - "*"
          - "!stop"
          - "!start"
    
      "oauth get_roster":
    
      - who:
    
          - oauth:
    
          - scope: "get_roster+sasl_auth"
    
          - user: "admin"
    
    
    
      - what:
    
          - get_roster
    
    
    
    
    点赞 评论 复制链接分享

相关推荐