[zeromq-dev] Associating messages to authenticated clients

Pieter Hintjens ph at imatix.com
Tue Jan 21 18:19:49 CET 2014


The idea with zmq_msg_get was to solve the majority case (get/set
integer options) with one API call, then allow additional methods for
specific options, like zmq_msg_more ().

Accessor functions don't need _get, otherwise. So zmq_msg_metadata
(name), returning a string, would be nice.

On Tue, Jan 21, 2014 at 10:37 AM, Brandon Carpenter
<brandon.carpenter at pnnl.gov> wrote:
> Great. Looks similar to how I was starting to implement it. I hadn't
> thought of the ABI compatibility. Here is a possible solution. Add the
> mechanism pointer to socket_base_t and add a pointer to socket_base_t in
> zmq::msg_t, replacing both file_desc and mechanism. The file descriptor
> and mechanism can now both be retrieved via the socket reference, along
> with any other socket information that may become useful in the future.
>
> If we think there will be other message metadata worth retrieving, it
> seems like adding a more generic function, like zmq_getsockopt(), might
> be appropriate. I was thinking that is what zmq_msg_get() was for, but
> then noticed that it only retrieves integers. Perhaps adding a function
> like zmq_msg_get_metadata(zmq_msg_t *msg, int meta_name, void
> *meta_value, size_t *meta_len) could be a candidate?
>
> On 01/21/2014 03:17 AM, Goswin von Brederlow wrote:
>> On Mon, Jan 20, 2014 at 03:07:06PM -0800, Brandon Carpenter wrote:
>>> I am using a PULL socket to receive messages which are subsequently
>>> forwarded to a PUB socket. Each client may have a list of allowed topics
>>> associated with it's CURVE public key. When incoming messages are
>>> published, I need to filter topics using the source's approved topic
>>> list to restrict the topics a client may publish, which means I must
>>> somehow associate incoming messages with the authenticated client. The
>>> ZAP RFC makes it sound like that is what the user identifier is for.
>>>> The authenticator replies with an OK/NOT OK response, with a user id
>>>> that the server can use to identify the user to internal application code.
>>> Looking through the code and documentation, there doesn't appear to be
>>> any method for the application to retrieve the user identifier. Is this
>>> correct or am I missing something? Is there another way to accomplish
>>> the above scenario of associating messages with an authenticated client?
>>> If not, then I will post my ideas for implementing such a feature.
>>>
>>> Thanks,
>>>
>>> Brandon
>> I played around with that and you can test it:
>>
>> https://github.com/mrvn/libzmq/tree/mrvn
>>
>> So far the code compiles (for me). I haven't had time to write a
>> proper test case for it yet. But I've modifed tests/test_security_curve.cpp
>> to call zmq_msg_get_user_id() and that seems to work:
>>
>>    char user_id[256];
>>    size_t user_id_size = sizeof(user_id);
>>    rc = zmq_msg_get_user_id(&server_msg, user_id, &user_id_size);
>>    assert(rc != -1);
>>    printf("got user_id '%*s'\n", (int)user_id_size, user_id);
>>
>> The feature modifies the size of zmq_msg_t, which means it breaks the
>> ABI. So I'm not happy with it yet. I've added a pointer to the
>> security mechanism used for the message so the messag structure grows
>> by 8. The pointer should probably only be set for messages with
>> content (not control messages) and put into the union. I think there
>> would be enough space there to hide the pointer so the ABI doesn't
>> break.
>>
>> But its a first attempt. Have a look.
>>
>> MfG
>>       Goswin
>>
>> PS: I've added a pointer to the mechanism so potentially the identity,
>> properties and metadata set there could be accessed as well.
>>
>> PPS: If you use czmq then you need to recompile it because of the ABI
>> change.
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list