[zeromq-dev] best approach for client authorization in pub-sub?

Andrzej Dworak Andrzej.Dworak at cern.ch
Fri Jan 11 18:22:31 CET 2013

Dear colleagues,

I need to authorize clients requests on the server side. I already have a system for user authentication & authorization and my question is *how to best integrate it with ZMQ*?

For req-rep communication pattern this is quite easy - I do it each time a new request comes: 
1. server receives data from a client
2. the data contains also a token that is used to verify client credentials
3. If credentials are OK then server executes an action or sends requested data to the client. 
4. If a client does not hold proper rights, then I send back a message "sorry, no rights to do XYZ".

For pub-sub it is a bit harder, as in ZeroMQ the server side does not directly see a client request, so I cannot do something like that:
1. server receives client request to subscribe
2. the data contains also the token
3. if the token is OK we let the client subscribe
4. if the token is not OK we do not let the client subscribe

How would you solve the above problem?
The most straightforward solution that comes to my mind is: Instead of directly subscribing to the publishing socket we ask for its address through req-rep channel. Along the request we pass our token. If server verifies that it is OK, then it returns the address of the publishing socket. The client subscribes to the publisher without any further validation.

Of course, this is not a safe solution but it is *good enough* in my case. Anyway, I am asking as maybe someone could propose an easier/nicer/better solution.

Thanks a lot for your help,

More information about the zeromq-dev mailing list