[zeromq-dev] Fwd: Access control

Martin Sustrik sustrik at 250bpm.com
Tue Jul 27 19:18:41 CEST 2010


Pieter Hintjens wrote:
> On Tue, Jul 27, 2010 at 5:58 PM, Oliver Smith <oliver at kfs.org> wrote:
> 
>> Ah - that's where initially treating the socket as a REQ/REP came in:
>> they would connect to me, send me their authentication data, and if
>> that's accepted, then I would move that underlying socket to the members
>> of my middle-level pub/sub pair (with me as pub, them as sub).
> 
> It's belling the cat.  There are no semantics in 0MQ for moving
> underlying sockets to the members of your middle-level pub/sub pair.
> 
> What you can do afaics is use req-xrep to do a kind of user-space
> pub-sub based on identities.  If someone who has actually done this
> (Brian?) could confirm...

Yes. It can be done that way as a workaround.

As for real solution the only way to have authenticated pub/sub IMO is 
to encrypt messages on publisher and decrypt them on terminal 
subscriber. (All the intermediate untrusted nodes would just forward 
encrypted data.)

Only subscribers with correct key would be able to make any use of the 
messages then.

Martin




More information about the zeromq-dev mailing list