Re: [zeromq-dev] Fwd: Access control

Tue, 27 Jul 2010 07:40:00 -0700 

On 7/27/2010 9:07 AM, Pieter Hintjens wrote:
> Now to your problem of authenticating subscribers.  I imagine you're
> not actually using multicast but TCP unicast, right?  A ZMQ_PUB socket
> can connect to a ZMQ_SUB socket.  So imagine that subscribers connect
> to the publisher via REQ-REP and provide their endpoint along with
> authentication credentials.  The publisher verifies that and if it
> matches, connects through to their endpoint.  The publisher does not
> bind(), so has no endpoint for unauthorized subscribers to connect to.
>    
The subscribers bind their sockets, and the publisher performs the 
connect()?

Unfortunately many of our subscribers would be behind multiple layers of 
firewall and NAT. So ideally I'd want the ability to move the endpoint 
(real-socket) from the zmq-req-rep socket to my zmq-pub socket.

Hmm. I'll have to sit and look at the actual implementation of req/rep, 
but perhaps it would be possible to implement a "rep-pub" class, which 
you receive a request on, to which you reply once.

Underneath, it is actually two zmq-sockets. One is a req/rep socket, 
which handles routing of auth requests/replies. The other is a ZMQ_PUB 
socket.

When it sees what it recognizes as an auth-accept, it send the reply and 
transfers the underlying endpoint to the zmq_pub socket.

Example usage:

ctx = zmq.context()
pubSock = ctx.socket(ZMQ_AUTHED_PUB)
pubSock.bind("tcp://1.2.3.4:1234")
do
   p = pollitems( { pubSock, zmq.POLLIN} )
   if ctx.poll(p, nil, 100) == 0 then
     # Reached time out, send data
     msg = generateMessage()
     pubSock.send(msg)
   else
     # Received a msg on pubSock
     msg = pubSock.recv()

     if approved(msg) then
       # the send routine will clear the sock opt
       # after checking for it.
       pubSock.setsockopt(zmq.PUB_AUTHORIZED)
       pubSock.send(makeApprovalMsg(msg))

       # at this point, the underlying endpoint has now been
       # moved to the AUTHED_PUBs PUB socket.
     else
       pubSock.send("begone, intruder!")
     end
   end
end


_______________________________________________
zeromq-dev mailing list
[email protected]
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

Reply via email to