Dynamic subscribe authentication

#1

Hello,

We have a system with a lot of devices all over the world connecting to our servers to provide information about their environment. We are investigating various technologies to replace the existing infrastructure and Wamp (with Crossbar.io as a router) is one of them. We have some questions about it:

How do we control authorization for users on subscribing to events from certain devices. They can only access some of the devices, but when I look at the concepts of Wamp you always receive all events. For example:

  • User A - Can access device 1
  • User B - Can access device 1 and 2
  • User C - Can access device 2
    Do we need to use channels (with the serial number of the device) in the url like in your examples?

Is there a possibility to run some custom code in the router to do the authorization for subscribing to event from certain urls/channels?

Do you have some roadmap about further development? I’ve read that it is not (yet) possible to connect multiple nodes, so what are our options for scaling? I think we need some nodes in multiple regions for better performance but is it possible with crossbar?

Thanks for the good work on your project.

We like it very much!

Thnx,

Erwin

0 Likes

#2

Hi Erwin,

Hello,

We have a system with a lot of devices all over the world connecting to
our servers to provide information about their environment. We are

Sounds exciting ..

investigating various technologies to replace the existing
infrastructure and Wamp (with Crossbar.io as a router) is one of them.
We have some questions about it:

How do we control authorization for users on subscribing to events from
certain devices. They can only access some of the devices, but when I

I have written up a page on authorization with Crossbar.io:

https://github.com/crossbario/crossbar/wiki/Authorization

Note: this is not yet implemented. It'll be there in the "coming weeks". It's high prio, but unfortunately I cannot give you a definitve date.

look at the concepts of Wamp you always receive all events. For example:

  * User A - Can access device 1
  * User B - Can access device 1 and 2
  * User C - Can access device 2

Do we need to use channels (with the serial number of the device) in the
url like in your examples?

Yes, the unit of "permission" is the interaction (e.g. "subscribe") on a specific URI (e.g. "com.example.device.1.on_sensor_a").

You could have:

User A: ALLOW "subscribe" on "com.example.device.1.*"
User B: ALLOW "subscribe" on "com.example.device.1.*" and "com.example.device.2.*"
User C: ALLOW "subscribe" on "com.example.device.2.*"

Is there a possibility to run some custom code in the router to do the
authorization for subscribing to event from certain urls/channels?

Yes:
https://github.com/crossbario/crossbar/wiki/Authorization#dynamic-authorization

Indeed, in the scenario above, where access should be controller on a "per-user" basis (not only on a "per-role" basis), using a custom authorization hook probably would be the way to go.

The nice thing is: your custom authorization function is a WAMP remoted procedure like any other!

Do you have some roadmap about further development? I've read that it is
not (yet) possible to connect multiple nodes, so what are our options

Yes. It is one of the major upcoming features to scale out a single router to multiple nodes.

Please note that a single Crossbar.io router process will already go a long way. E.g. you can have like 200.000 concurrently active connections on a single such node/process. Another data point: a single Crossbar.io router process can establish something like 30.000 new WAMP sessions - per second.

for scaling? I think we need some nodes in multiple regions for better
performance but is it possible with crossbar?

Not yet. We are currently working on defining the router-to-router protocol (which is the essential piece missing).

Once it's there, it'll allow you to build such networks of federated routers. Note that this will even work over WAN (different from other clustering solutions, it is designed to work not only inside a data-center, but accross).

Thanks for the good work on your project.
We like it very much!

Great! Good to hear;) Btw: should you need professional services, consulting or custom development, Tavendo offers this for the complete stack around WAMP, Autobahn and Crossbar.io

In any case: pls feel free to ask more ..

Cheers,
/Tobias

···

Am 30.06.2014 12:23, schrieb Erwin Steffens:

Thnx,
Erwin

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

Hi Tobias,

Thanks for your reply.

The nice thing is: your custom authorization function is a WAMP remoted
procedure like any other!

This is a very nice solution meaning we can develop this in our own language!

Please note that a single Crossbar.io router process will already go a
long way. E.g. you can have like 200.000 concurrently active connections
on a single such node/process. Another data point: a single Crossbar.io
router process can establish something like 30.000 new WAMP sessions -
per second.

This is far enough for us at the moment, but we need to know that there are options when running out of performance.

It will take some time until we need the node scaling so this will not be a problem at this moment.

Great! Good to hear;) Btw: should you need professional services,
consulting or custom development, Tavendo offers this for the complete
stack around WAMP, Autobahn and Crossbar.io

Thanks, that’s good to know. When we have some updates/questions I’ll let you know.

Erwin

···

Op maandag 30 juni 2014 16:33:56 UTC+2 schreef Tobias Oberstein:

Hi Erwin,

Am 30.06.2014 12:23, schrieb Erwin Steffens:

Hello,

We have a system with a lot of devices all over the world connecting to

our servers to provide information about their environment. We are

Sounds exciting …

investigating various technologies to replace the existing

infrastructure and Wamp (with Crossbar.io as a router) is one of them.

We have some questions about it:

How do we control authorization for users on subscribing to events from

certain devices. They can only access some of the devices, but when I

I have written up a page on authorization with Crossbar.io:

https://github.com/crossbario/crossbar/wiki/Authorization

Note: this is not yet implemented. It’ll be there in the “coming weeks”.
It’s high prio, but unfortunately I cannot give you a definitve date.

look at the concepts of Wamp you always receive all events. For example:

  • User A - Can access device 1
  • User B - Can access device 1 and 2
  • User C - Can access device 2

Do we need to use channels (with the serial number of the device) in the

url like in your examples?

Yes, the unit of “permission” is the interaction (e.g. “subscribe”) on a
specific URI (e.g. “com.example.device.1.on_sensor_a”).

You could have:

User A: ALLOW “subscribe” on “com.example.device.1.*”

User B: ALLOW “subscribe” on “com.example.device.1." and
"com.example.device.2.

User C: ALLOW “subscribe” on “com.example.device.2.*”

Is there a possibility to run some custom code in the router to do the

authorization for subscribing to event from certain urls/channels?

Yes:

https://github.com/crossbario/crossbar/wiki/Authorization#dynamic-authorization

Indeed, in the scenario above, where access should be controller on a
“per-user” basis (not only on a “per-role” basis), using a custom
authorization hook probably would be the way to go.

The nice thing is: your custom authorization function is a WAMP remoted
procedure like any other!

Do you have some roadmap about further development? I’ve read that it is

not (yet) possible to connect multiple nodes, so what are our options

Yes. It is one of the major upcoming features to scale out a single
router to multiple nodes.

Please note that a single Crossbar.io router process will already go a
long way. E.g. you can have like 200.000 concurrently active connections
on a single such node/process. Another data point: a single Crossbar.io
router process can establish something like 30.000 new WAMP sessions -
per second.

for scaling? I think we need some nodes in multiple regions for better

performance but is it possible with crossbar?

Not yet. We are currently working on defining the router-to-router
protocol (which is the essential piece missing).

Once it’s there, it’ll allow you to build such networks of federated
routers. Note that this will even work over WAN (different from other
clustering solutions, it is designed to work not only inside a
data-center, but accross).

Thanks for the good work on your project.

We like it very much!

Great! Good to hear;) Btw: should you need professional services,
consulting or custom development, Tavendo offers this for the complete
stack around WAMP, Autobahn and Crossbar.io

In any case: pls feel free to ask more …

Cheers,

/Tobias

Thnx,

Erwin

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes