[zeromq-dev] Authenticated pubsub (was Access control)

[Pieter Hintjens]

Here is, I think, how to build an authenticated pubsub service using
0MQ.  The design handles authentication, arbitrary routing criteria,
and flushing of dead client connections.

You will use ZMQ_XREQ at the client side and ZMQ_XREP at the service
side.  There is a simple protocol between client and server that is
loosely modelled on HTTP:

* Client sends messages containing: identity (0MQ adds this
automatically), authentication credentials, and subscription criteria.
* Server sends messages containing: identity (automatic),
error/success code, and content.

The server has two main data structures:

* A connection table that stores authenticated identities and
timestamps.  Each identity corresponds to a client connection.
* A routing table that maps message keys (e.g. topic value) to
identities.  There are techniques for doing
[http://www.zeromq.org/whitepapers:message-matching high speed message
matching].

The client has a single thread that polls on its ZMQ_XREQ socket.  At
regular time intervals it (re)sends its authentication and
subscription message.  This acts as a keep-alive.

The server has a two threads, one that polls on its ZMQ_XREP socket
and one that receives outgoing messages and passes them to the polling
thread via inproc sockets.  The polling thread processes any incoming
client requests and updates its data structures.  It processes any
outgoing messages by looking up the message key in its routing table
and then sending the message (one to one) to all matching identities.
As it does this it deletes any expired identities.

That's it.  Sorry if I got some things wrong here, it's theory and not
based on running code.

-Pieter