[zeromq-dev] Fwd: Access control
Martin Sustrik
sustrik at 250bpm.com
Tue Jul 27 19:18:41 CEST 2010
Pieter Hintjens wrote:
> On Tue, Jul 27, 2010 at 5:58 PM, Oliver Smith <oliver at kfs.org> wrote:
>
>> Ah - that's where initially treating the socket as a REQ/REP came in:
>> they would connect to me, send me their authentication data, and if
>> that's accepted, then I would move that underlying socket to the members
>> of my middle-level pub/sub pair (with me as pub, them as sub).
>
> It's belling the cat. There are no semantics in 0MQ for moving
> underlying sockets to the members of your middle-level pub/sub pair.
>
> What you can do afaics is use req-xrep to do a kind of user-space
> pub-sub based on identities. If someone who has actually done this
> (Brian?) could confirm...
Yes. It can be done that way as a workaround.
As for real solution the only way to have authenticated pub/sub IMO is
to encrypt messages on publisher and decrypt them on terminal
subscriber. (All the intermediate untrusted nodes would just forward
encrypted data.)
Only subscribers with correct key would be able to make any use of the
messages then.
Martin
More information about the zeromq-dev
mailing list