[zeromq-dev] Associating messages to authenticated clients

Brandon Carpenter brandon.carpenter at pnnl.gov
Tue Jan 21 17:37:19 CET 2014


Great. Looks similar to how I was starting to implement it. I hadn't 
thought of the ABI compatibility. Here is a possible solution. Add the 
mechanism pointer to socket_base_t and add a pointer to socket_base_t in 
zmq::msg_t, replacing both file_desc and mechanism. The file descriptor 
and mechanism can now both be retrieved via the socket reference, along 
with any other socket information that may become useful in the future.

If we think there will be other message metadata worth retrieving, it 
seems like adding a more generic function, like zmq_getsockopt(), might 
be appropriate. I was thinking that is what zmq_msg_get() was for, but 
then noticed that it only retrieves integers. Perhaps adding a function 
like zmq_msg_get_metadata(zmq_msg_t *msg, int meta_name, void 
*meta_value, size_t *meta_len) could be a candidate?

On 01/21/2014 03:17 AM, Goswin von Brederlow wrote:
> On Mon, Jan 20, 2014 at 03:07:06PM -0800, Brandon Carpenter wrote:
>> I am using a PULL socket to receive messages which are subsequently
>> forwarded to a PUB socket. Each client may have a list of allowed topics
>> associated with it's CURVE public key. When incoming messages are
>> published, I need to filter topics using the source's approved topic
>> list to restrict the topics a client may publish, which means I must
>> somehow associate incoming messages with the authenticated client. The
>> ZAP RFC makes it sound like that is what the user identifier is for.
>>> The authenticator replies with an OK/NOT OK response, with a user id
>>> that the server can use to identify the user to internal application code.
>> Looking through the code and documentation, there doesn't appear to be
>> any method for the application to retrieve the user identifier. Is this
>> correct or am I missing something? Is there another way to accomplish
>> the above scenario of associating messages with an authenticated client?
>> If not, then I will post my ideas for implementing such a feature.
>>
>> Thanks,
>>
>> Brandon
> I played around with that and you can test it:
>
> https://github.com/mrvn/libzmq/tree/mrvn
>
> So far the code compiles (for me). I haven't had time to write a
> proper test case for it yet. But I've modifed tests/test_security_curve.cpp
> to call zmq_msg_get_user_id() and that seems to work:
>
>    char user_id[256];
>    size_t user_id_size = sizeof(user_id);
>    rc = zmq_msg_get_user_id(&server_msg, user_id, &user_id_size);
>    assert(rc != -1);
>    printf("got user_id '%*s'\n", (int)user_id_size, user_id);
>
> The feature modifies the size of zmq_msg_t, which means it breaks the
> ABI. So I'm not happy with it yet. I've added a pointer to the
> security mechanism used for the message so the messag structure grows
> by 8. The pointer should probably only be set for messages with
> content (not control messages) and put into the union. I think there
> would be enough space there to hide the pointer so the ABI doesn't
> break.
>
> But its a first attempt. Have a look.
>
> MfG
> 	Goswin
>
> PS: I've added a pointer to the mechanism so potentially the identity,
> properties and metadata set there could be accessed as well.
>
> PPS: If you use czmq then you need to recompile it because of the ABI
> change.
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev





More information about the zeromq-dev mailing list