disclose caller or publisher in crossbar.io?

#1

In WAMPv2 Advance Profile, it is possible to disclose the caller or publisher as follows:

PUBLISH.Options.disclose_me|bool := true

How do I enable that in Crossbar.io? I’d like to have a front-end client’s IP address, session_id, or more data sent to a callee along with the function call. Is that something I can easily configure using Crossbar configuration file?

– Dante

0 Likes

#2

Hi Dante!

For disclosing caller identity, you do not need to configure anything in Crossbar.io. Doing so is handled in one of two ways:

  • The caller requests that his identity be disclosed as part of the procedure call, e.g. `session.call(“com.myapp.test”, [“test”], {}, {disclose_me: true}.
  • The callee requests that the caller identity be disclosed when registering the procedure, e.g. `session.register(‘com.myapp.test’, test, { disclose_caller: true })
    In either case, the callee then receives a details dict as part of the call arguments for the function (args, kwargs, details), and this contains caller information.

The “disclose_caller” is entirely undocumented (next on my to-do list to fix).

Searching through the Crossbar.io code, is also found “disclose_caller_transport” as an argument - so you may want to give this a try as well - I haven’t tried it yet (another item on my to-do list).

Hope this helps, and feel free to contact me with any additional questions!

Regards,

Alex

···

Am Dienstag, 13. Januar 2015 10:09:03 UTC+1 schrieb Dante Lorenso:

In WAMPv2 Advance Profile, it is possible to disclose the caller or publisher as follows:

PUBLISH.Options.disclose_me|bool := true

How do I enable that in Crossbar.io? I’d like to have a front-end client’s IP address, session_id, or more data sent to a callee along with the function call. Is that something I can easily configure using Crossbar configuration file?

– Dante

0 Likes

#3

Hi Dante!
For disclosing caller identity, you do not need to configure anything in Crossbar.io. Doing so is handled in one of two ways:

  • The caller requests that his identity be disclosed as part of the procedure call, e.g. `session.call(“com.myapp.test”, [“test”], {}, {disclose_me: true}.
  • The callee requests that the caller identity be disclosed when registering the procedure, e.g. `session.register(‘com.myapp.test’, test, { disclose_caller: true })
    In either case, the callee then receives a details dict as part of the call arguments for the function (args, kwargs, details), and this contains caller information.

I will post later a design I plan to use for handling authentication and authorization so everyone can comment and criticize it for me. In short, I am planning to use the ‘session id’ in the details dict to look up the caller authentication details for each request so that more granular authorization can be done inside each backend client RPC call. This session id will be used just like sessions in PHP or other web/HTTP pattern.

Although I realize the clients can control this on each call (i did stumble on the disclose_me: true for calls), I’d rather configure it once on the router and not worry about a client forgetting to do this for every call.

The “disclose_caller” is entirely undocumented (next on my to-do list to fix).

Searching through the Crossbar.io code, is also found “disclose_caller_transport” as an argument - so you may want to give this a try as well - I haven’t tried it yet (another item on my to-do list).

I’d like to see what disclose_caller_transport does also, but more so I’d like to find a way to authorize subscriptions by keeping the authorization inside the same backend clients which will be publishing events for those topics.

I feel like I’ve read somewhere that I can configure the Crossbar.io router to automatically append the session id in the details for all calls. Maybe I read that in the WAMP spec and not crossbar? It does seem like something that should exist so it can be configured globally instead of per-call.

– Dante

···

On Wednesday, January 14, 2015 at 3:27:19 PM UTC+4, Alexander Gödde wrote:

0 Likes

#4

Hi Dante,

FWIW, the latest Crossbar.io has brought this behavior:

A publisher can ask the broker to disclose it’s identity to subscribers (“disclose_me == true”). A subscriber always receives the publisher then - if was request by publisher.

Similarily for registrations, callers and callees.

The feature to enforce or disallow caller/publisher identification via the router configuration is another thing. Is that what you are looking for?

Cheers,
/Tobias

···

Am Mittwoch, 14. Januar 2015 12:49:04 UTC+1 schrieb Dante Lorenso:

On Wednesday, January 14, 2015 at 3:27:19 PM UTC+4, Alexander Gödde wrote:

Hi Dante!
For disclosing caller identity, you do not need to configure anything in Crossbar.io. Doing so is handled in one of two ways:

  • The caller requests that his identity be disclosed as part of the procedure call, e.g. `session.call(“com.myapp.test”, [“test”], {}, {disclose_me: true}.
  • The callee requests that the caller identity be disclosed when registering the procedure, e.g. `session.register(‘com.myapp.test’, test, { disclose_caller: true })
    In either case, the callee then receives a details dict as part of the call arguments for the function (args, kwargs, details), and this contains caller information.

I will post later a design I plan to use for handling authentication and authorization so everyone can comment and criticize it for me. In short, I am planning to use the ‘session id’ in the details dict to look up the caller authentication details for each request so that more granular authorization can be done inside each backend client RPC call. This session id will be used just like sessions in PHP or other web/HTTP pattern.

Although I realize the clients can control this on each call (i did stumble on the disclose_me: true for calls), I’d rather configure it once on the router and not worry about a client forgetting to do this for every call.

The “disclose_caller” is entirely undocumented (next on my to-do list to fix).

Searching through the Crossbar.io code, is also found “disclose_caller_transport” as an argument - so you may want to give this a try as well - I haven’t tried it yet (another item on my to-do list).

I’d like to see what disclose_caller_transport does also, but more so I’d like to find a way to authorize subscriptions by keeping the authorization inside the same backend clients which will be publishing events for those topics.

I feel like I’ve read somewhere that I can configure the Crossbar.io router to automatically append the session id in the details for all calls. Maybe I read that in the WAMP spec and not crossbar? It does seem like something that should exist so it can be configured globally instead of per-call.

– Dante

0 Likes

#5

No, I think we have design differences of opinion. From what I read, you seem to believe that disclosure of caller should be the responsibility and prerogative of the caller. I do not agree.

I think since it is the callee that receives the call, he is the one that must decide whether he cares about who call calling him. If he does not care, he does not need to ask for the information. However, if he does care, it should not be up to the caller to provide it. See, caller would only provide disclosure if callee wants it, so why have the need belong to the callee and the supply in the hands of the caller? Instead, give both need and supply to the callee and now caller is out of the picture and it’s much easier to program this.

– Dante

···

On Sunday, March 1, 2015 at 4:20:01 PM UTC-6, Tobias Oberstein wrote:

Hi Dante,

FWIW, the latest Crossbar.io has brought this behavior:

A publisher can ask the broker to disclose it’s identity to subscribers (“disclose_me == true”). A subscriber always receives the publisher then - if was request by publisher.

Similarily for registrations, callers and callees.

The feature to enforce or disallow caller/publisher identification via the router configuration is another thing. Is that what you are looking for?

0 Likes

#6

Hi Tobias,
Per the wamp spec there is the concept of allowing a callee to request caller identification via the “disclose_caller” detail being set to true. It appears that this is not currently supported by Crossbar, some googling indicates that it may have been at one point. I would very much like to make use of this ability because it is the callee that is the one who needs the information. Using the “disclose_me” detail seems cumbersome because it means that all callers must have this set in order for the call to succeed. Is support for this part of the spec on the roadmap? Or will it be removed from the wamp spec?

Cheers,

Nic

···

On Sunday, March 1, 2015 at 2:20:01 PM UTC-8, Tobias Oberstein wrote:

Hi Dante,

FWIW, the latest Crossbar.io has brought this behavior:

A publisher can ask the broker to disclose it’s identity to subscribers (“disclose_me == true”). A subscriber always receives the publisher then - if was request by publisher.

Similarily for registrations, callers and callees.

The feature to enforce or disallow caller/publisher identification via the router configuration is another thing. Is that what you are looking for?

Cheers,
/Tobias

Am Mittwoch, 14. Januar 2015 12:49:04 UTC+1 schrieb Dante Lorenso:

On Wednesday, January 14, 2015 at 3:27:19 PM UTC+4, Alexander Gödde wrote:

Hi Dante!
For disclosing caller identity, you do not need to configure anything in Crossbar.io. Doing so is handled in one of two ways:

  • The caller requests that his identity be disclosed as part of the procedure call, e.g. `session.call(“com.myapp.test”, [“test”], {}, {disclose_me: true}.
  • The callee requests that the caller identity be disclosed when registering the procedure, e.g. `session.register(‘com.myapp.test’, test, { disclose_caller: true })
    In either case, the callee then receives a details dict as part of the call arguments for the function (args, kwargs, details), and this contains caller information.

I will post later a design I plan to use for handling authentication and authorization so everyone can comment and criticize it for me. In short, I am planning to use the ‘session id’ in the details dict to look up the caller authentication details for each request so that more granular authorization can be done inside each backend client RPC call. This session id will be used just like sessions in PHP or other web/HTTP pattern.

Although I realize the clients can control this on each call (i did stumble on the disclose_me: true for calls), I’d rather configure it once on the router and not worry about a client forgetting to do this for every call.

The “disclose_caller” is entirely undocumented (next on my to-do list to fix).

Searching through the Crossbar.io code, is also found “disclose_caller_transport” as an argument - so you may want to give this a try as well - I haven’t tried it yet (another item on my to-do list).

I’d like to see what disclose_caller_transport does also, but more so I’d like to find a way to authorize subscriptions by keeping the authorization inside the same backend clients which will be publishing events for those topics.

I feel like I’ve read somewhere that I can configure the Crossbar.io router to automatically append the session id in the details for all calls. Maybe I read that in the WAMP spec and not crossbar? It does seem like something that should exist so it can be configured globally instead of per-call.

– Dante

0 Likes

#7

Hi Nicolas,

“disclose_caller” was indeed once a feature implemented by Crossbar.io. If I remember correctly, we had a discussion about the who could request this, couldn’t find an easy way to resolve conflicts (“What happens when the caller explicitly doesn’t want the disclosure, but the callee does.”) and settled on just the caller being able to do anything here (which is the currently implemented state.

As you can see from the spec (https://github.com/tavendo/WAMP/blob/master/spec/advanced/caller-identification.md), allowing the callee to request caller identity is still in there, and there have been several requests to add this back to Crossbar.io.

I suggest you open a Crossbar.io issue about this, and then let’s see if other people chime in. AFAIK this is not settled yet. (I suggest you open the issue instead of me doing that since this way it already has an advocate outside of the core team + you get notified of new entries on the issue.)

Regards,

Alex

···

Am Dienstag, 1. September 2015 20:43:14 UTC+2 schrieb Nicholas Wiles:

Hi Tobias,
Per the wamp spec there is the concept of allowing a callee to request caller identification via the “disclose_caller” detail being set to true. It appears that this is not currently supported by Crossbar, some googling indicates that it may have been at one point. I would very much like to make use of this ability because it is the callee that is the one who needs the information. Using the “disclose_me” detail seems cumbersome because it means that all callers must have this set in order for the call to succeed. Is support for this part of the spec on the roadmap? Or will it be removed from the wamp spec?

Cheers,

Nic

On Sunday, March 1, 2015 at 2:20:01 PM UTC-8, Tobias Oberstein wrote:

Hi Dante,

FWIW, the latest Crossbar.io has brought this behavior:

A publisher can ask the broker to disclose it’s identity to subscribers (“disclose_me == true”). A subscriber always receives the publisher then - if was request by publisher.

Similarily for registrations, callers and callees.

The feature to enforce or disallow caller/publisher identification via the router configuration is another thing. Is that what you are looking for?

Cheers,
/Tobias

Am Mittwoch, 14. Januar 2015 12:49:04 UTC+1 schrieb Dante Lorenso:

On Wednesday, January 14, 2015 at 3:27:19 PM UTC+4, Alexander Gödde wrote:

Hi Dante!
For disclosing caller identity, you do not need to configure anything in Crossbar.io. Doing so is handled in one of two ways:

  • The caller requests that his identity be disclosed as part of the procedure call, e.g. `session.call(“com.myapp.test”, [“test”], {}, {disclose_me: true}.
  • The callee requests that the caller identity be disclosed when registering the procedure, e.g. `session.register(‘com.myapp.test’, test, { disclose_caller: true })
    In either case, the callee then receives a details dict as part of the call arguments for the function (args, kwargs, details), and this contains caller information.

I will post later a design I plan to use for handling authentication and authorization so everyone can comment and criticize it for me. In short, I am planning to use the ‘session id’ in the details dict to look up the caller authentication details for each request so that more granular authorization can be done inside each backend client RPC call. This session id will be used just like sessions in PHP or other web/HTTP pattern.

Although I realize the clients can control this on each call (i did stumble on the disclose_me: true for calls), I’d rather configure it once on the router and not worry about a client forgetting to do this for every call.

The “disclose_caller” is entirely undocumented (next on my to-do list to fix).

Searching through the Crossbar.io code, is also found “disclose_caller_transport” as an argument - so you may want to give this a try as well - I haven’t tried it yet (another item on my to-do list).

I’d like to see what disclose_caller_transport does also, but more so I’d like to find a way to authorize subscriptions by keeping the authorization inside the same backend clients which will be publishing events for those topics.

I feel like I’ve read somewhere that I can configure the Crossbar.io router to automatically append the session id in the details for all calls. Maybe I read that in the WAMP spec and not crossbar? It does seem like something that should exist so it can be configured globally instead of per-call.

– Dante

0 Likes

#8

Thanks for your insight Alexander,
I have created this ticket: https://github.com/crossbario/crossbar/issues/447

Please add any comments there.

Thanks,

Nic

···

On Thursday, September 3, 2015 at 4:16:33 AM UTC-7, Alexander Gödde wrote:

Hi Nicolas,

“disclose_caller” was indeed once a feature implemented by Crossbar.io. If I remember correctly, we had a discussion about the who could request this, couldn’t find an easy way to resolve conflicts (“What happens when the caller explicitly doesn’t want the disclosure, but the callee does.”) and settled on just the caller being able to do anything here (which is the currently implemented state.

As you can see from the spec (https://github.com/tavendo/WAMP/blob/master/spec/advanced/caller-identification.md), allowing the callee to request caller identity is still in there, and there have been several requests to add this back to Crossbar.io.

I suggest you open a Crossbar.io issue about this, and then let’s see if other people chime in. AFAIK this is not settled yet. (I suggest you open the issue instead of me doing that since this way it already has an advocate outside of the core team + you get notified of new entries on the issue.)

Regards,

Alex

Am Dienstag, 1. September 2015 20:43:14 UTC+2 schrieb Nicholas Wiles:

Hi Tobias,
Per the wamp spec there is the concept of allowing a callee to request caller identification via the “disclose_caller” detail being set to true. It appears that this is not currently supported by Crossbar, some googling indicates that it may have been at one point. I would very much like to make use of this ability because it is the callee that is the one who needs the information. Using the “disclose_me” detail seems cumbersome because it means that all callers must have this set in order for the call to succeed. Is support for this part of the spec on the roadmap? Or will it be removed from the wamp spec?

Cheers,

Nic

On Sunday, March 1, 2015 at 2:20:01 PM UTC-8, Tobias Oberstein wrote:

Hi Dante,

FWIW, the latest Crossbar.io has brought this behavior:

A publisher can ask the broker to disclose it’s identity to subscribers (“disclose_me == true”). A subscriber always receives the publisher then - if was request by publisher.

Similarily for registrations, callers and callees.

The feature to enforce or disallow caller/publisher identification via the router configuration is another thing. Is that what you are looking for?

Cheers,
/Tobias

Am Mittwoch, 14. Januar 2015 12:49:04 UTC+1 schrieb Dante Lorenso:

On Wednesday, January 14, 2015 at 3:27:19 PM UTC+4, Alexander Gödde wrote:

Hi Dante!
For disclosing caller identity, you do not need to configure anything in Crossbar.io. Doing so is handled in one of two ways:

  • The caller requests that his identity be disclosed as part of the procedure call, e.g. `session.call(“com.myapp.test”, [“test”], {}, {disclose_me: true}.
  • The callee requests that the caller identity be disclosed when registering the procedure, e.g. `session.register(‘com.myapp.test’, test, { disclose_caller: true })
    In either case, the callee then receives a details dict as part of the call arguments for the function (args, kwargs, details), and this contains caller information.

I will post later a design I plan to use for handling authentication and authorization so everyone can comment and criticize it for me. In short, I am planning to use the ‘session id’ in the details dict to look up the caller authentication details for each request so that more granular authorization can be done inside each backend client RPC call. This session id will be used just like sessions in PHP or other web/HTTP pattern.

Although I realize the clients can control this on each call (i did stumble on the disclose_me: true for calls), I’d rather configure it once on the router and not worry about a client forgetting to do this for every call.

The “disclose_caller” is entirely undocumented (next on my to-do list to fix).

Searching through the Crossbar.io code, is also found “disclose_caller_transport” as an argument - so you may want to give this a try as well - I haven’t tried it yet (another item on my to-do list).

I’d like to see what disclose_caller_transport does also, but more so I’d like to find a way to authorize subscriptions by keeping the authorization inside the same backend clients which will be publishing events for those topics.

I feel like I’ve read somewhere that I can configure the Crossbar.io router to automatically append the session id in the details for all calls. Maybe I read that in the WAMP spec and not crossbar? It does seem like something that should exist so it can be configured globally instead of per-call.

– Dante

0 Likes