Well any client can pick their own keypair, so unless you have the public key then it's moot. If the client claims to be billgates and signs their message (and you have their pubkey) then they're authenticated, no?
On Tuesday, December 31, 2013 7:01 AM, Drew Crawford <d...@sealedabstract.com> wrote: Well if I allow just any client to claim to be billgates that’s not going to be very secure… …or did I misunderstand your proposal? On Dec 31, 2013, at 12:56 AM, Amir Taaki <zgen...@yahoo.com> wrote: > Have you thought about a custom frame at the top of your message? > > Or the clients can set their own custom identity if they have unique names. > > > > > > On Tuesday, December 31, 2013 6:51 AM, Drew Crawford > <d...@sealedabstract.com> wrote: > Hey folks, > > I’ve got a REQ-ROUTER architecture where clients (with a REP socket) connect > to a server (with a ROUTER socket). This connection is authenticated via > CURVE. > > I need to figure out some person/username/unique identifier that is > associated with the incoming REQ. There are a couple of reasons. One is > that not all users have the same level of access privileges. For example, > there’s an admin user, with more powers than the other users, and so I need > to allow some types of REQs only for that user. Another reason is that in > this application, users live inside their own sandbox more or less. So a REQ > that lists data, should only be listing data that the current user is allowed > to see. > > rfc.zeromq.org/spec:27/ZAP is apparently built to solve this problem, and the > reply even has a field (field 5, "The user id, which SHALL contain a > string.”) which looks like it is built for the purpose of associating a > username with a session. Presumably I would just fill that field with the > username (e.g. “billgates”) when I am satisfied that the user has > authenticated successfully as Bill Gates. > > The problem is that at the time that a request comes inbound on my ROUTER, > the only data I (seem to) have about the sender is some opaque (to me) > identity bytes in the message envelope. And I do not see a way to take those > opaque bytes and convert them into either billgates, the client’s public key, > or any other identifying information that would let me figure out who is > making the request. > > In an attempt to see where field 5 goes, I have traced the parsing of the zap > field into curve_server.cpp > (https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L617) and > as far as I can tell it’s unused. So it’s possible that the feature I’m > looking for isn’t implemented. > > Any suggestions for how I can identify the sender of a REQ, either within the > current 4.0.3 release, or a general sketch of a patch I could write that > would solve this problem? > > Drew > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev _______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev _______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
