[zeromq-dev] How do I find out which ZAP user I'm talking to? (zap rely field 5)

Drew Crawford drew at sealedabstract.com
Tue Dec 31 08:01:07 CET 2013


Well if I allow just any client to claim to be billgates that’s not going to be very secure…

…or did I misunderstand your proposal?


On Dec 31, 2013, at 12:56 AM, Amir Taaki <zgenjix at yahoo.com> wrote:

> Have you thought about a custom frame at the top of your message?
> 
> Or the clients can set their own custom identity if they have unique names.
> 
> 
> 
> 
> 
> On Tuesday, December 31, 2013 6:51 AM, Drew Crawford <drew at sealedabstract.com> wrote:
> Hey folks,
> 
> I’ve got a REQ-ROUTER architecture where clients (with a REP socket) connect to a server (with a ROUTER socket).  This connection is authenticated via CURVE.
> 
> I need to figure out some person/username/unique identifier that is associated with the incoming REQ.  There are a couple of reasons.  One is that not all users have the same level of access privileges.  For example, there’s an admin user, with more powers than the other users, and so I need to allow some types of REQs only for that user.  Another reason is that in this application, users live inside their own sandbox more or less.  So a REQ that lists data, should only be listing data that the current user is allowed to see.
> 
> rfc.zeromq.org/spec:27/ZAP is apparently built to solve this problem, and the reply even has a field (field 5, "The user id, which SHALL contain a string.”) which looks like it is built for the purpose of associating a username with a session.  Presumably I would just fill that field with the username (e.g. “billgates”) when I am satisfied that the user has authenticated successfully as Bill Gates.
> 
> The problem is that at the time that a request comes inbound on my ROUTER, the only data I (seem to) have about the sender is some opaque (to me) identity bytes in the message envelope.  And I do not see a way to take those opaque bytes and convert them into either billgates, the client’s public key, or any other identifying information that would let me figure out who is making the request.
> 
> In an attempt to see where field 5 goes, I have traced the parsing of the zap field into curve_server.cpp (https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L617) and as far as I can tell it’s unused.  So it’s possible that the feature I’m looking for isn’t implemented.
> 
> Any suggestions for how I can identify the sender of a REQ, either within the current 4.0.3 release, or a general sketch of a patch I could write that would solve this problem?
> 
> Drew
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev 
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev




More information about the zeromq-dev mailing list