[zeromq-dev] Associating messages to authenticated clients

Goswin von Brederlow goswin-v-b at web.de
Tue Jan 21 12:17:38 CET 2014 

On Mon, Jan 20, 2014 at 03:07:06PM -0800, Brandon Carpenter wrote:
> I am using a PULL socket to receive messages which are subsequently 
> forwarded to a PUB socket. Each client may have a list of allowed topics 
> associated with it's CURVE public key. When incoming messages are 
> published, I need to filter topics using the source's approved topic 
> list to restrict the topics a client may publish, which means I must 
> somehow associate incoming messages with the authenticated client. The 
> ZAP RFC makes it sound like that is what the user identifier is for.
> > The authenticator replies with an OK/NOT OK response, with a user id 
> > that the server can use to identify the user to internal application code.
> Looking through the code and documentation, there doesn't appear to be 
> any method for the application to retrieve the user identifier. Is this 
> correct or am I missing something? Is there another way to accomplish 
> the above scenario of associating messages with an authenticated client? 
> If not, then I will post my ideas for implementing such a feature.
> 
> Thanks,
> 
> Brandon

I played around with that and you can test it:

https://github.com/mrvn/libzmq/tree/mrvn

So far the code compiles (for me). I haven't had time to write a
proper test case for it yet. But I've modifed tests/test_security_curve.cpp
to call zmq_msg_get_user_id() and that seems to work:

  char user_id[256];
  size_t user_id_size = sizeof(user_id);
  rc = zmq_msg_get_user_id(&server_msg, user_id, &user_id_size);
  assert(rc != -1);
  printf("got user_id '%*s'\n", (int)user_id_size, user_id);

The feature modifies the size of zmq_msg_t, which means it breaks the
ABI. So I'm not happy with it yet. I've added a pointer to the
security mechanism used for the message so the messag structure grows
by 8. The pointer should probably only be set for messages with
content (not control messages) and put into the union. I think there
would be enough space there to hide the pointer so the ABI doesn't
break.

But its a first attempt. Have a look.

MfG
	Goswin

PS: I've added a pointer to the mechanism so potentially the identity,
properties and metadata set there could be accessed as well.

PPS: If you use czmq then you need to recompile it because of the ABI
change.

More information about the zeromq-dev mailing list