[zeromq-dev] best approach for client authorization in pub-sub?

John Muehlhausen jgm at jgm.org
Fri Jan 11 18:33:41 CET 2013


Perhaps you could allow anyone to subscribe, but publish encrypted data,
such that only authorized clients know how to unpack it.
-John

On Fri, Jan 11, 2013 at 11:22 AM, Andrzej Dworak <Andrzej.Dworak at cern.ch>wrote:

> Dear colleagues,
>
> I need to authorize clients requests on the server side. I already have a
> system for user authentication & authorization and my question is *how to
> best integrate it with ZMQ*?
>
> For req-rep communication pattern this is quite easy - I do it each time a
> new request comes:
> 1. server receives data from a client
> 2. the data contains also a token that is used to verify client credentials
> 3. If credentials are OK then server executes an action or sends requested
> data to the client.
> 4. If a client does not hold proper rights, then I send back a message
> "sorry, no rights to do XYZ".
>
> For pub-sub it is a bit harder, as in ZeroMQ the server side does not
> directly see a client request, so I cannot do something like that:
> 1. server receives client request to subscribe
> 2. the data contains also the token
> 3. if the token is OK we let the client subscribe
> 4. if the token is not OK we do not let the client subscribe
>
> How would you solve the above problem?
> The most straightforward solution that comes to my mind is: Instead of
> directly subscribing to the publishing socket we ask for its address
> through req-rep channel. Along the request we pass our token. If server
> verifies that it is OK, then it returns the address of the publishing
> socket. The client subscribes to the publisher without any further
> validation.
>
> Of course, this is not a safe solution but it is *good enough* in my case.
> Anyway, I am asking as maybe someone could propose an easier/nicer/better
> solution.
>
> Thanks a lot for your help,
> Andrzej
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20130111/45ad2e93/attachment.htm>


More information about the zeromq-dev mailing list