[zeromq-dev] Restricting access to data (i.e. sockets)
Pieter Hintjens
ph at imatix.com
Tue Nov 9 09:47:55 CET 2010
On Tue, Nov 9, 2010 at 9:12 AM, Oliver Senn <oliver.senn at smart.mit.edu> wrote:
> There have been lots of discussions about security in/on top of/below
> ZeroMQ lately. I have a question not about encrypting messages but about
> restricting arbitrary people (i.e. sockets) from subscribing to a e.g.
> PUB socket.
>
> Is this possible with ZeroMQ? Is the PUB socket even aware of who is
> subscribing to its messages? Can we make this functionality available on
> an API level?
>
> Because besides encryption, I will also need a way to define which
> people have access to which data. How could one implement such an access
> system with the current ZeroMQ library?
This is usually called "authenticated pubsub" and there have been some
threads on that. The pubsub infrastructure does not provide any hooks
for authenticating subscribers. Basically, if you want to use pub-sub
sockets, they are by design a radio broadcast model, where the
publisher is unaware of subscribers. You can encrypt a broadcast but
it's encrypted the same way for all subscribers.
So the two ways of securing a pubsub architecture are:
* use encryption on messages and pass the key out-of-band
* do not use pub-sub sockets but instead xrep-xreq and custom routing
-Pieter
More information about the zeromq-dev
mailing list