permissions for rpc calls

#1

Concerning authentication,

I note that there is a PERMISSIONS dictionary that is employed during the getAuthPermissions() method during the authorization.

I had thought that it dictated the subscribe/publish/rpc permissions granted to an authKey, but, I’ve come to realize that it doesn’t do that at all. I guess I need to enforce permissions in my rpc and pub/sub callbacks? So, I probably need to record the authKey and permissions during the onAuthenticated() callback and reference them in the rpc/pubsub, is that the idea? I raise a permission type error if access is attempted but not allowed?

-g

0 Likes

#2

Concerning authentication,

I note that there is a PERMISSIONS dictionary that is employed during
the getAuthPermissions() method during the authorization.

I had thought that it dictated the subscribe/publish/rpc permissions
granted to an authKey, but, I've come to realize that it doesn't do that
at all. I guess I need to enforce permissions in my rpc and pub/sub
callbacks? So, I probably need to record the authKey and permissions
during the onAuthenticated() callback and reference them in the
rpc/pubsub, is that the idea? I raise a permission type error if access
is attempted but not allowed?

Whether a topic will get dispatched or an endpoint is callable is exclusively controlled via

registerForXXX()

methods.

The permissions dictionary is only for "informational" purposes, and only there to be forwarded to the client during the WAMP-CRA authentication of WAMPv1.

This will likely (need to) change in WAMPv2, since we need dynamic RPC endpoint registration, and for RPC relaying to be possible, this needs to be communicated over WAMP.

/Tobias

···

Am 07.12.2013 01:19, schrieb Greg Fausak:

-g

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

0 Likes

#3

Tobias,

That’s what I thought. Can I do anything I want with the PERMISSIONS dictionary, or does it need to stay true to current form?

-g

···

On Saturday, December 7, 2013 8:16:54 AM UTC-6, Tobias Oberstein wrote:

Am 07.12.2013 01:19, schrieb Greg Fausak:

Concerning authentication,

I note that there is a PERMISSIONS dictionary that is employed during

the getAuthPermissions() method during the authorization.

I had thought that it dictated the subscribe/publish/rpc permissions

granted to an authKey, but, I’ve come to realize that it doesn’t do that

at all. I guess I need to enforce permissions in my rpc and pub/sub

callbacks? So, I probably need to record the authKey and permissions

during the onAuthenticated() callback and reference them in the

rpc/pubsub, is that the idea? I raise a permission type error if access

is attempted but not allowed?

Whether a topic will get dispatched or an endpoint is callable is
exclusively controlled via

registerForXXX()

methods.

The permissions dictionary is only for “informational” purposes, and
only there to be forwarded to the client during the WAMP-CRA
authentication of WAMPv1.

This will likely (need to) change in WAMPv2, since we need dynamic RPC
endpoint registration, and for RPC relaying to be possible, this needs
to be communicated over WAMP.

/Tobias

-g

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

0 Likes

#4

Tobias,

That's what I thought. Can I do anything I want with the PERMISSIONS
dictionary, or does it need to stay true to current form?

Well, looking forward, things will change anyway. But if you don't have good reason, it's probably good to follow the pattern right now.

Looking at the Crossbar.io code (my other mail), I remember there is minimal machinery to register PubSub topics from a PERMISSIONS dict:

https://github.com/crossbario/crossbar/blob/master/crossbar/crossbar/netservice/hubwebsocket.py#L353

/Tobias

···

Am 07.12.2013 21:23, schrieb Greg Fausak:

-g

On Saturday, December 7, 2013 8:16:54 AM UTC-6, Tobias Oberstein wrote:

    Am 07.12.2013 01:19, schrieb Greg Fausak:
     > Concerning authentication,
     >
     > I note that there is a PERMISSIONS dictionary that is employed
    during
     > the getAuthPermissions() method during the authorization.
     >
     > I had thought that it dictated the subscribe/publish/rpc permissions
     > granted to an authKey, but, I've come to realize that it doesn't
    do that
     > at all. I guess I need to enforce permissions in my rpc and pub/sub
     > callbacks? So, I probably need to record the authKey and
    permissions
     > during the onAuthenticated() callback and reference them in the
     > rpc/pubsub, is that the idea? I raise a permission type error if
    access
     > is attempted but not allowed?

    Whether a topic will get dispatched or an endpoint is callable is
    exclusively controlled via

    registerForXXX()

    methods.

    The permissions dictionary is only for "informational" purposes, and
    only there to be forwarded to the client during the WAMP-CRA
    authentication of WAMPv1.

    This will likely (need to) change in WAMPv2, since we need dynamic RPC
    endpoint registration, and for RPC relaying to be possible, this needs
    to be communicated over WAMP.

    /Tobias

     >
     > -g
     >
     > --
     > You received this message because you are subscribed to the Google
     > Groups "Autobahn" group.
     > To unsubscribe from this group and stop receiving emails from it,
    send
     > an email to autobah...@googlegroups.com <javascript:>.
     > For more options, visit https://groups.google.com/groups/opt_out
    <https://groups.google.com/groups/opt_out>.

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

0 Likes