TLS using asyncio/trollius package in Autobahn Python (basic WAMP router)?

#1

Hi,

Quick(?) question: Does the asyncio/trollius support in Autobahn Python support TLS?

I have a Autobahn Python WAMP-(basic-router)-over-WebSocket server in an embedded device and I’m wondering how to make it secure/TLS. I’d been using the asyncio/trollius package but the only example I see in Autobahn Python is using twisted - do I need to switch to twisted in order to do this? (The other alternative seems to be to upgrade to the advanced WAMP router/Crossbar.io on the device, but I’m trying to keep it “basic”/simple.)

Thanks very much for any guidance - the examples have been helpful for all sorts of Autobahn & WAMP learning/prototyping…!

Dave

0 Likes

#2

Hi Dave,

> Quick(?) question: Does the asyncio/trollius support in Autobahn Python

support TLS?

Yes. You will need to adjust

https://github.com/tavendo/AutobahnPython/blob/master/examples/asyncio/wamp/basic/server.py#L116

according to the TLS stuff described here

https://docs.python.org/3/library/asyncio-eventloop.html#creating-listening-connections

Similar for client.

I have a Autobahn Python WAMP-(basic-router)-over-WebSocket server in an
embedded device and I'm wondering how to make it secure/TLS. I'd been
using the asyncio/trollius package but the only example I see in
Autobahn Python is using twisted - do I need to switch to twisted in
order to do this? (The other alternative seems to be to upgrade to the
advanced WAMP router/Crossbar.io on the device, but I'm trying to keep
it "basic"/simple.)

Curious: what kind of device?

Thanks very much for any guidance - the examples have been helpful for
all sorts of Autobahn & WAMP learning/prototyping...!

Great! Yep, we have a lot examples (as I like working code myself to get started quickly) .. most of them for Twisted though since AutobahnPython historically only supported Twisted.

Cheers,
/Tobias

···

Dave

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/4aa4ac0e-2081-4345-81d9-64ee2010d4b6%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/4aa4ac0e-2081-4345-81d9-64ee2010d4b6%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

Hi Tobias,

It’s actually a network of devices that can be connected to directly or from a central system (I’m the guy who asked you some questions about realms, etc. and setup a few questoins back)…

https://groups.google.com/forum/#!topic/autobahnws/xV7-fU2ZKQE

I decided to try asyncio over twisted just because it’s the newer kid on the block in terms of native Python support (although having said that I’m still using trollius and Python 2!)…

Thanks for the quick reply and the time-saving pointers - I’ll check into them!

Dave

···

On Saturday, November 22, 2014 5:24:43 PM UTC-5, Tobias Oberstein wrote:

Hi Dave,

Quick(?) question: Does the asyncio/trollius support in Autobahn Python

support TLS?

Yes. You will need to adjust

https://github.com/tavendo/AutobahnPython/blob/master/examples/asyncio/wamp/basic/server.py#L116

according to the TLS stuff described here

https://docs.python.org/3/library/asyncio-eventloop.html#creating-listening-connections

Similar for client.

I have a Autobahn Python WAMP-(basic-router)-over-WebSocket server in an

embedded device and I’m wondering how to make it secure/TLS. I’d been

using the asyncio/trollius package but the only example I see in

Autobahn Python is using twisted - do I need to switch to twisted in

order to do this? (The other alternative seems to be to upgrade to the

advanced WAMP router/Crossbar.io on the device, but I’m trying to keep

it “basic”/simple.)

Curious: what kind of device?

Thanks very much for any guidance - the examples have been helpful for

all sorts of Autobahn & WAMP learning/prototyping…!

Great! Yep, we have a lot examples (as I like working code myself to get
started quickly) … most of them for Twisted though since AutobahnPython
historically only supported Twisted.

Cheers,

/Tobias

0 Likes

#4

Hi Dave,

Hi Tobias,

It's actually a network of devices that can be connected to directly or
from a central system (I'm the guy who asked you some questions about
realms, etc. and setup a few questoins back)...

https://groups.google.com/forum/#!topic/autobahnws/xV7-fU2ZKQE

Yes. Should have been more precise: I was curious about the exact hardware of the device(s). What CPU/MCU? Amount of RAM?

Since I am wondering why you want to use a AutobahnPython basic router, not Crossbar.io .. any specific reasons?

Actually, the basic router in AutobahnPython is only there because we never take stuff away from users once there. And historically (WAMP1), AutobahnPython includes a router. Now all further router development (like WAMP Advanced Profile features etc) are going to Crossbar.io.

All other AutobahnXXX are strictly WAMP _client_ libraries (no router code at all), and AutobahnPython would be the same if not for above historical reasons and our "never take away stuff" policy ..

Cheers,
/Tobias

···

Am 22.11.2014 23:41, schrieb Dave Barndt:

I decided to try asyncio over twisted just because it's the newer kid on
the block in terms of native Python support (although having said that
I'm still using trollius and Python 2!)...

Thanks for the quick reply and the time-saving pointers - I'll check
into them!

Dave

On Saturday, November 22, 2014 5:24:43 PM UTC-5, Tobias Oberstein wrote:

    Hi Dave,

      > Quick(?) question: Does the asyncio/trollius support in Autobahn
    Python
     > support TLS?

    Yes. You will need to adjust

    https://github.com/tavendo/AutobahnPython/blob/master/examples/asyncio/wamp/basic/server.py#L116
    <https://github.com/tavendo/AutobahnPython/blob/master/examples/asyncio/wamp/basic/server.py#L116>

    according to the TLS stuff described here

    https://docs.python.org/3/library/asyncio-eventloop.html#creating-listening-connections
    <https://docs.python.org/3/library/asyncio-eventloop.html#creating-listening-connections>

    Similar for client.

     >
     > I have a Autobahn Python WAMP-(basic-router)-over-WebSocket
    server in an
     > embedded device and I'm wondering how to make it secure/TLS. I'd
    been
     > using the asyncio/trollius package but the only example I see in
     > Autobahn Python is using twisted - do I need to switch to twisted in
     > order to do this? (The other alternative seems to be to upgrade
    to the
     > advanced WAMP router/Crossbar.io on the device, but I'm trying to
    keep
     > it "basic"/simple.)

    Curious: what kind of device?

     >
     > Thanks very much for any guidance - the examples have been
    helpful for
     > all sorts of Autobahn & WAMP learning/prototyping...!

    Great! Yep, we have a lot examples (as I like working code myself to
    get
    started quickly) .. most of them for Twisted though since
    AutobahnPython
    historically only supported Twisted.

    Cheers,
    /Tobias

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/92f8abd0-557d-4350-934e-60838134e6df%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/92f8abd0-557d-4350-934e-60838134e6df%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#5

Hi Tobias,

The device has a BeagleBone Black as the CPU board - 1 GHz ARM Cortex-A8, 512 MB RAM, and we’re expanding the flash/storage from 4 GB to to 8 GB.

The reasons I was considering the basic WAMP built-in router were essentially simplicity and ease of configuration:

  1. I am implementing the device’s WAMP endpoint in Python, and saw that Autobahn Python already included the basic router.

  2. It seemed as though I could just include the basic router startup with the application session code; seemed simple with minimal config required.

Based on our discussion about realms, the device could potentially be part of several realms (one for just itself, one for all devices, and one for each geographical device grouping it could belong to - probably never more than a half dozen or so).

I have nothing against using Crossbar.io in the device, assuming setup is straightforward enough. And since this is a new, WAMP2-based design, it sounds like you are “guiding” me toward using Crossbar.io. Do you think Crossbar.io will work well given the requirement/scenario I’ve described?

Dave

···

On Sunday, November 23, 2014 4:12:17 AM UTC-5, Tobias Oberstein wrote:

Hi Dave,

Am 22.11.2014 23:41, schrieb Dave Barndt:

Hi Tobias,

It’s actually a network of devices that can be connected to directly or

from a central system (I’m the guy who asked you some questions about

realms, etc. and setup a few questoins back)…

https://groups.google.com/forum/#!topic/autobahnws/xV7-fU2ZKQE

Yes. Should have been more precise: I was curious about the exact
hardware of the device(s). What CPU/MCU? Amount of RAM?

Since I am wondering why you want to use a AutobahnPython basic router,
not Crossbar.io … any specific reasons?

Actually, the basic router in AutobahnPython is only there because we
never take stuff away from users once there. And historically (WAMP1),
AutobahnPython includes a router. Now all further router development
(like WAMP Advanced Profile features etc) are going to Crossbar.io.

All other AutobahnXXX are strictly WAMP client libraries (no router
code at all), and AutobahnPython would be the same if not for above
historical reasons and our “never take away stuff” policy …

Cheers,

/Tobias

0 Likes

#6

Hi Tobias,

The device has a BeagleBone Black as the CPU board - 1 GHz ARM
Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from 4 GB
to to 8 GB.

This is a quite beefy little machine. FWIW, it won't have any problems running a full Crossbar.io.

The reasons I was considering the basic WAMP built-in router were
essentially simplicity and ease of configuration:

1) I am implementing the device's WAMP endpoint in Python, and saw that
Autobahn Python already included the basic router.
2) It seemed as though I could just include the basic router startup
with the application session code; seemed simple with minimal config
required.

Based on our discussion about realms, the device could potentially be
part of several realms (one for just itself, one for all devices, and
one for each geographical device grouping it could belong to - probably
never more than a half dozen or so).

I have nothing against using Crossbar.io in the device, assuming setup
is straightforward enough. And since this is a new, WAMP2-based design,

We have a setup recipe for the Pi, which most likely will work on the Beagle without modification:

http://crossbar.io/docs/Installation-on-the-RaspberryPi/

I have a Beagle Black in the office (didn't have time to touch it yet), but I might find 1-2 hours the coming weekend.

it sounds like you are "guiding" me toward using Crossbar.io. Do you
think Crossbar.io will work well given the requirement/scenario I've
described?

Yes, I think so. If you only needed a WAMP component running on your device, AutobahnPython would be sufficient. In that case, Crossbar.io still would add value by being able to host your component in a container which is monitored by Crossbar.io, and in the near future would be able to remotely manage that component. If you need a router, then I'd definitely recommend checking out Crossbar.io. The added value above the basic router included with AutobahnPython is already large, and in the coming future, you will be able to federate / hook up the locally running Crossbar.io router to a Crossbar.io instance running e.g. in a data-center. You won't be able to do that with the basic router.

Cheers,
/Tobias

···

Am 24.11.2014 17:03, schrieb Dave Barndt:

Dave

On Sunday, November 23, 2014 4:12:17 AM UTC-5, Tobias Oberstein wrote:

    Hi Dave,

    Am 22.11.2014 23:41, schrieb Dave Barndt:
     > Hi Tobias,
     >
     > It's actually a network of devices that can be connected to
    directly or
     > from a central system (I'm the guy who asked you some questions
    about
     > realms, etc. and setup a few questoins back)...
     >
     > https://groups.google.com/forum/#!topic/autobahnws/xV7-fU2ZKQE
    <https://groups.google.com/forum/#!topic/autobahnws/xV7-fU2ZKQE>

    Yes. Should have been more precise: I was curious about the exact
    hardware of the device(s). What CPU/MCU? Amount of RAM?

    Since I am wondering why you want to use a AutobahnPython basic router,
    not Crossbar.io .. any specific reasons?

    Actually, the basic router in AutobahnPython is only there because we
    never take stuff away from users once there. And historically (WAMP1),
    AutobahnPython includes a router. Now all further router development
    (like WAMP Advanced Profile features etc) are going to Crossbar.io.

    All other AutobahnXXX are strictly WAMP _client_ libraries (no router
    code at all), and AutobahnPython would be the same if not for above
    historical reasons and our "never take away stuff" policy ..

    Cheers,
    /Tobias

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/75bb789c-a780-481e-9327-21c2a31a1ff4%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/75bb789c-a780-481e-9327-21c2a31a1ff4%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#7

Hi Tobias,

OK, I’ll give the full Crossbar.io a go (I started with it very early on, until I found the basic router). I hadn’t downloaded it in a while, and noticed a bunch of new examples when I updated it yesterday. For example, I see the wss/TLS example now, which is proving helpful.

One quick question if I may ask (I’m sure there will be more). Is it possible to do Linux PAM-style authentication for users connecting to Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example that a custom authentication procedure can be used, but I assume that’s only specific to WAMP-CRA.

Thanks again for all the help/guidance,

Dave

···

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:

Hi Tobias,

The device has a BeagleBone Black as the CPU board - 1 GHz ARM

Cortex-A8, 512 MB RAM, and we’re expanding the flash/storage from 4 GB

to to 8 GB.

This is a quite beefy little machine. FWIW, it won’t have any problems
running a full Crossbar.io.

The reasons I was considering the basic WAMP built-in router were

essentially simplicity and ease of configuration:

  1. I am implementing the device’s WAMP endpoint in Python, and saw that

Autobahn Python already included the basic router.

  1. It seemed as though I could just include the basic router startup

with the application session code; seemed simple with minimal config

required.

Based on our discussion about realms, the device could potentially be

part of several realms (one for just itself, one for all devices, and

one for each geographical device grouping it could belong to - probably

never more than a half dozen or so).

I have nothing against using Crossbar.io in the device, assuming setup

is straightforward enough. And since this is a new, WAMP2-based design,

We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:

http://crossbar.io/docs/Installation-on-the-RaspberryPi/

I have a Beagle Black in the office (didn’t have time to touch it yet),
but I might find 1-2 hours the coming weekend.

it sounds like you are “guiding” me toward using Crossbar.io. Do you

think Crossbar.io will work well given the requirement/scenario I’ve

described?

Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I’d definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won’t be able to do that with the basic router.

Cheers,

/Tobias

0 Likes

#8

Sorry, another quick question - it looks like for a Python application session component to be run “side-by-side” with the router, it has to be implemented with Twisted. I had started implementation using asyncio/trollius since it seemed to be “the future” encouraged by the Python community. If I want to use asyncio, then do I have to run the component as a guest / additional worker process?

Thanks,

Dave

···

On Wednesday, November 26, 2014 12:54:23 PM UTC-5, Dave Barndt wrote:

Hi Tobias,

OK, I’ll give the full Crossbar.io a go (I started with it very early on, until I found the basic router). I hadn’t downloaded it in a while, and noticed a bunch of new examples when I updated it yesterday. For example, I see the wss/TLS example now, which is proving helpful.

One quick question if I may ask (I’m sure there will be more). Is it possible to do Linux PAM-style authentication for users connecting to Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example that a custom authentication procedure can be used, but I assume that’s only specific to WAMP-CRA.

Thanks again for all the help/guidance,

Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:

Hi Tobias,

The device has a BeagleBone Black as the CPU board - 1 GHz ARM

Cortex-A8, 512 MB RAM, and we’re expanding the flash/storage from 4 GB

to to 8 GB.

This is a quite beefy little machine. FWIW, it won’t have any problems
running a full Crossbar.io.

The reasons I was considering the basic WAMP built-in router were

essentially simplicity and ease of configuration:

  1. I am implementing the device’s WAMP endpoint in Python, and saw that

Autobahn Python already included the basic router.

  1. It seemed as though I could just include the basic router startup

with the application session code; seemed simple with minimal config

required.

Based on our discussion about realms, the device could potentially be

part of several realms (one for just itself, one for all devices, and

one for each geographical device grouping it could belong to - probably

never more than a half dozen or so).

I have nothing against using Crossbar.io in the device, assuming setup

is straightforward enough. And since this is a new, WAMP2-based design,

We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:

http://crossbar.io/docs/Installation-on-the-RaspberryPi/

I have a Beagle Black in the office (didn’t have time to touch it yet),
but I might find 1-2 hours the coming weekend.

it sounds like you are “guiding” me toward using Crossbar.io. Do you

think Crossbar.io will work well given the requirement/scenario I’ve

described?

Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I’d definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won’t be able to do that with the basic router.

Cheers,

/Tobias

0 Likes

#9

Hi Dave,

One quick question if I may ask (I'm sure there will be more). Is it
possible to do Linux PAM-style authentication for users connecting to
Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example
that a custom authentication procedure can be used, but I assume that's
only specific to WAMP-CRA.

It might be possible to write a custom authenticator for WAMP-CRA that plugs into the Linux PAM ..

···

Thanks again for all the help/guidance,
Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

    Am 24.11.2014 17:03, schrieb Dave Barndt:
     > Hi Tobias,
     >
     > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
     > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from
    4 GB
     > to to 8 GB.

    This is a quite beefy little machine. FWIW, it won't have any problems
    running a full Crossbar.io.

     >
     > The reasons I was considering the basic WAMP built-in router were
     > essentially simplicity and ease of configuration:
     >
     > 1) I am implementing the device's WAMP endpoint in Python, and
    saw that
     > Autobahn Python already included the basic router.
     > 2) It seemed as though I could just include the basic router startup
     > with the application session code; seemed simple with minimal config
     > required.
     >
     > Based on our discussion about realms, the device could
    potentially be
     > part of several realms (one for just itself, one for all devices,
    and
     > one for each geographical device grouping it could belong to -
    probably
     > never more than a half dozen or so).
     >
     > I have nothing against using Crossbar.io in the device, assuming
    setup
     > is straightforward enough. And since this is a new, WAMP2-based
    design,

    We have a setup recipe for the Pi, which most likely will work on the
    Beagle without modification:

    http://crossbar.io/docs/Installation-on-the-RaspberryPi/
    <http://crossbar.io/docs/Installation-on-the-RaspberryPi/>

    I have a Beagle Black in the office (didn't have time to touch it yet),
    but I might find 1-2 hours the coming weekend.

     > it sounds like you are "guiding" me toward using Crossbar.io. Do you
     > think Crossbar.io will work well given the requirement/scenario I've
     > described?

    Yes, I think so. If you only needed a WAMP component running on your
    device, AutobahnPython would be sufficient. In that case, Crossbar.io
    still would add value by being able to host your component in a
    container which is monitored by Crossbar.io, and in the near future
    would be able to remotely manage that component. If you need a router,
    then I'd definitely recommend checking out Crossbar.io. The added value
    above the basic router included with AutobahnPython is already large,
    and in the coming future, you will be able to federate / hook up the
    locally running Crossbar.io router to a Crossbar.io instance running
    e.g. in a data-center. You won't be able to do that with the basic
    router.

    Cheers,
    /Tobias

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/532623e0-2580-40b9-bf35-b2196df50f84%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/532623e0-2580-40b9-bf35-b2196df50f84%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#10

Sorry, another quick question - it looks like for a Python application
session component to be run "side-by-side" with the router, it has to be
implemented with Twisted. I had started implementation using
asyncio/trollius since it seemed to be "the future" encouraged by the

asyncio is "special" in that it is part of the standard library in Python 3.4+. asyncio also profits from the years of experience gained in Twisted and awesome abstractions there (protocols/factories). asyncio also profits from new language elements ("yield from")

However, Twisted isn't deprecated or going away. In fact, Twisted has a lot more batteries included and broader scope than asyncio.

Python community. If I want to use asyncio, then do I have to run the
component as a guest / additional worker process?

Yes, this is correct.

Crossbar.io is written against Twisted, and Python components that run side-by-side (in a router process) or in a container worker must be written against Twisted also.

With guest workers, you can use anything supported by AutobahnPython:

http://autobahn.ws/python/installation.html#supported-configurations

···

Am 26.11.2014 19:34, schrieb Dave Barndt:

Thanks,
Dave

On Wednesday, November 26, 2014 12:54:23 PM UTC-5, Dave Barndt wrote:

    Hi Tobias,

    OK, I'll give the full Crossbar.io a go (I started with it very
    early on, until I found the basic router). I hadn't downloaded it
    in a while, and noticed a bunch of new examples when I updated it
    yesterday. For example, I see the wss/TLS example now, which is
    proving helpful.

    One quick question if I may ask (I'm sure there will be more). Is it
    possible to do Linux PAM-style authentication for users connecting
    to Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io
    example that a custom authentication procedure can be used, but I
    assume that's only specific to WAMP-CRA.

    Thanks again for all the help/guidance,
    Dave

    On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

        Am 24.11.2014 17:03, schrieb Dave Barndt:
         > Hi Tobias,
         >
         > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
         > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage
        from 4 GB
         > to to 8 GB.

        This is a quite beefy little machine. FWIW, it won't have any
        problems
        running a full Crossbar.io.

         >
         > The reasons I was considering the basic WAMP built-in router
        were
         > essentially simplicity and ease of configuration:
         >
         > 1) I am implementing the device's WAMP endpoint in Python,
        and saw that
         > Autobahn Python already included the basic router.
         > 2) It seemed as though I could just include the basic router
        startup
         > with the application session code; seemed simple with minimal
        config
         > required.
         >
         > Based on our discussion about realms, the device could
        potentially be
         > part of several realms (one for just itself, one for all
        devices, and
         > one for each geographical device grouping it could belong to
        - probably
         > never more than a half dozen or so).
         >
         > I have nothing against using Crossbar.io in the device,
        assuming setup
         > is straightforward enough. And since this is a new,
        WAMP2-based design,

        We have a setup recipe for the Pi, which most likely will work
        on the
        Beagle without modification:

        http://crossbar.io/docs/Installation-on-the-RaspberryPi/
        <http://crossbar.io/docs/Installation-on-the-RaspberryPi/>

        I have a Beagle Black in the office (didn't have time to touch
        it yet),
        but I might find 1-2 hours the coming weekend.

         > it sounds like you are "guiding" me toward using Crossbar.io.
        Do you
         > think Crossbar.io will work well given the
        requirement/scenario I've
         > described?

        Yes, I think so. If you only needed a WAMP component running on
        your
        device, AutobahnPython would be sufficient. In that case,
        Crossbar.io
        still would add value by being able to host your component in a
        container which is monitored by Crossbar.io, and in the near future
        would be able to remotely manage that component. If you need a
        router,
        then I'd definitely recommend checking out Crossbar.io. The
        added value
        above the basic router included with AutobahnPython is already
        large,
        and in the coming future, you will be able to federate / hook up
        the
        locally running Crossbar.io router to a Crossbar.io instance
        running
        e.g. in a data-center. You won't be able to do that with the
        basic router.

        Cheers,
        /Tobias

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
To post to this group, send email to autob...@googlegroups.com
<mailto:autob...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/autobahnws/2002c940-bfbf-41d9-9e8e-4444e5c9aff8%40googlegroups.com
<https://groups.google.com/d/msgid/autobahnws/2002c940-bfbf-41d9-9e8e-4444e5c9aff8%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#11

Hi Tobias,

OK, if you think it’s possible I’ll dig into it more. Didn’t know if WAMP-CRA was compatible with PAM.

Thanks,
Dave

···

On Wednesday, November 26, 2014 5:03:14 PM UTC-5, Tobias Oberstein wrote:

Hi Dave,

One quick question if I may ask (I’m sure there will be more). Is it

possible to do Linux PAM-style authentication for users connecting to

Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example

that a custom authentication procedure can be used, but I assume that’s

only specific to WAMP-CRA.

It might be possible to write a custom authenticator for WAMP-CRA that
plugs into the Linux PAM …

Thanks again for all the help/guidance,

Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:
 > Hi Tobias,
 >
 > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
 > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from
4 GB
 > to to 8 GB.
This is a quite beefy little machine. FWIW, it won't have any problems
running a full Crossbar.io.
 >
 > The reasons I was considering the basic WAMP built-in router were
 > essentially simplicity and ease of configuration:
 >
 > 1) I am implementing the device's WAMP endpoint in Python, and
saw that
 > Autobahn Python already included the basic router.
 > 2) It seemed as though I could just include the basic router startup
 > with the application session code; seemed simple with minimal config
 > required.
 >
 > Based on our discussion about realms, the device could
potentially be
 > part of several realms (one for just itself, one for all devices,
and
 > one for each geographical device grouping it could belong to -
probably
 > never more than a half dozen or so).
 >
 > I have nothing against using Crossbar.io in the device, assuming
setup
 > is straightforward enough. And since this is a new, WAMP2-based
design,
We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:
[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)
<[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)>
I have a Beagle Black in the office (didn't have time to touch it yet),
but I might find 1-2 hours the coming weekend.
 > it sounds like you are "guiding" me toward using Crossbar.io. Do you
 > think Crossbar.io will work well given the requirement/scenario I've
 > described?
Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I'd definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won't be able to do that with the basic
router.
Cheers,
/Tobias

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com

mailto:autob...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/autobahnws/532623e0-2580-40b9-bf35-b2196df50f84%40googlegroups.com

<https://groups.google.com/d/msgid/autobahnws/532623e0-2580-40b9-bf35-b2196df50f84%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#12

Hi Tobias,

OK, I’m persuaded to just go with Autobahn/Twisted, since I needed to install it with Crossbar.io anyway. From my app’s standpoint it’s really no more complicated to use than asyncio; and in fact, since it would be simpler to put my app component side-by-side in the device with the Crossbar router, Twisted is my only choice, as you said.

More questions to come I’m sure…

Thanks,

Dave

···

On Wednesday, November 26, 2014 5:09:51 PM UTC-5, Tobias Oberstein wrote:

Am 26.11.2014 19:34, schrieb Dave Barndt:

Sorry, another quick question - it looks like for a Python application

session component to be run “side-by-side” with the router, it has to be

implemented with Twisted. I had started implementation using

asyncio/trollius since it seemed to be “the future” encouraged by the

asyncio is “special” in that it is part of the standard library in
Python 3.4+. asyncio also profits from the years of experience gained in
Twisted and awesome abstractions there (protocols/factories). asyncio
also profits from new language elements (“yield from”)

However, Twisted isn’t deprecated or going away. In fact, Twisted has a
lot more batteries included and broader scope than asyncio.

Python community. If I want to use asyncio, then do I have to run the

component as a guest / additional worker process?

Yes, this is correct.

Crossbar.io is written against Twisted, and Python components that run
side-by-side (in a router process) or in a container worker must be
written against Twisted also.

With guest workers, you can use anything supported by AutobahnPython:

http://autobahn.ws/python/installation.html#supported-configurations

Thanks,

Dave

On Wednesday, November 26, 2014 12:54:23 PM UTC-5, Dave Barndt wrote:

Hi Tobias,
OK, I'll give the full Crossbar.io a go (I started with it very
early on, until I found the basic router).  I hadn't downloaded it
in a while, and noticed a bunch of new examples when I updated it
yesterday. For example, I see the wss/TLS example now, which is
proving helpful.
One quick question if I may ask (I'm sure there will be more). Is it
possible to do Linux PAM-style authentication for users connecting
to Crossbar.io/WAMP/WS?  I see from the new WAMP-CRA Crossbar.io
example that a custom authentication procedure can be used, but I
assume that's only specific to WAMP-CRA.
Thanks again for all the help/guidance,
Dave
On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:
    Am 24.11.2014 17:03, schrieb Dave Barndt:
     > Hi Tobias,
     >
     > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
     > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage
    from 4 GB
     > to to 8 GB.
    This is a quite beefy little machine. FWIW, it won't have any
    problems
    running a full Crossbar.io.
     >
     > The reasons I was considering the basic WAMP built-in router
    were
     > essentially simplicity and ease of configuration:
     >
     > 1) I am implementing the device's WAMP endpoint in Python,
    and saw that
     > Autobahn Python already included the basic router.
     > 2) It seemed as though I could just include the basic router
    startup
     > with the application session code; seemed simple with minimal
    config
     > required.
     >
     > Based on our discussion about realms, the device could
    potentially be
     > part of several realms (one for just itself, one for all
    devices, and
     > one for each geographical device grouping it could belong to
    - probably
     > never more than a half dozen or so).
     >
     > I have nothing against using Crossbar.io in the device,
    assuming setup
     > is straightforward enough. And since this is a new,
    WAMP2-based design,
    We have a setup recipe for the Pi, which most likely will work
    on the
    Beagle without modification:
    [http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)
    <[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)>
    I have a Beagle Black in the office (didn't have time to touch
    it yet),
    but I might find 1-2 hours the coming weekend.
     > it sounds like you are "guiding" me toward using Crossbar.io.
    Do you
     > think Crossbar.io will work well given the
    requirement/scenario I've
     > described?
    Yes, I think so. If you only needed a WAMP component running on
    your
    device, AutobahnPython would be sufficient. In that case,
    Crossbar.io
    still would add value by being able to host your component in a
    container which is monitored by Crossbar.io, and in the near future
    would be able to remotely manage that component. If you need a
    router,
    then I'd definitely recommend checking out Crossbar.io. The
    added value
    above the basic router included with AutobahnPython is already
    large,
    and in the coming future, you will be able to federate / hook up
    the
    locally running Crossbar.io router to a Crossbar.io instance
    running
    e.g. in a data-center. You won't be able to do that with the
    basic router.
    Cheers,
    /Tobias

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com

mailto:autob...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/autobahnws/2002c940-bfbf-41d9-9e8e-4444e5c9aff8%40googlegroups.com

<https://groups.google.com/d/msgid/autobahnws/2002c940-bfbf-41d9-9e8e-4444e5c9aff8%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#13

Hi Tobias,

After some more checking, it doesn’t seem possible to use WAMP-CRA with PAM, essentially since WAMP-CRA doesn’t pass the secret/key/password across the wire. PAM auth needs to validate the password against what’s stored on the (Linux) system (/etc/passwd or /etc/shadow).

So I’m still trying to understand the best way to proceed. All connections into our device will use TLS…

  1. wss:// - WAMP/WebSocket connections for all data exchanged

  2. https:// - Web site/single-page app (that opens a WAMP/WebSocket session for all data)

I have these working with the web server (NodeJS) and Crossbar.io, thanks to the latest version’s examples. Because we’re using TLS, it’s acceptable to use HTTP Basic Auth to gain access to the website, using PAM to authenticate the user/password specified.

What we want to know is the “correct” Crossbar/WAMP authentication scheme to accept a username/password and validate it against PAM as well. If WAMP-CRA doesn’t seem to fit the bill, I’m wondering if the WAMP cookie or ticket authentication methods might work. However, I’m having trouble finding Crossbar.io documentation/examples for these - I’ve only found examples in the basic router (AutobahnPython). Are they implemented in Crossbar.io? (You’ve otherwise convinced me to go with Crossbar.io as the router in the device…)

I hope my question/predicament makes sense. I’m grateful for all the answers you’ve provided.

Dave

···

On Wednesday, November 26, 2014 5:03:14 PM UTC-5, Tobias Oberstein wrote:

Hi Dave,

One quick question if I may ask (I’m sure there will be more). Is it

possible to do Linux PAM-style authentication for users connecting to

Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example

that a custom authentication procedure can be used, but I assume that’s

only specific to WAMP-CRA.

It might be possible to write a custom authenticator for WAMP-CRA that
plugs into the Linux PAM …

Thanks again for all the help/guidance,

Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:
 > Hi Tobias,
 >
 > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
 > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from
4 GB
 > to to 8 GB.
This is a quite beefy little machine. FWIW, it won't have any problems
running a full Crossbar.io.
 >
 > The reasons I was considering the basic WAMP built-in router were
 > essentially simplicity and ease of configuration:
 >
 > 1) I am implementing the device's WAMP endpoint in Python, and
saw that
 > Autobahn Python already included the basic router.
 > 2) It seemed as though I could just include the basic router startup
 > with the application session code; seemed simple with minimal config
 > required.
 >
 > Based on our discussion about realms, the device could
potentially be
 > part of several realms (one for just itself, one for all devices,
and
 > one for each geographical device grouping it could belong to -
probably
 > never more than a half dozen or so).
 >
 > I have nothing against using Crossbar.io in the device, assuming
setup
 > is straightforward enough. And since this is a new, WAMP2-based
design,
We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:
[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)
<[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)>
I have a Beagle Black in the office (didn't have time to touch it yet),
but I might find 1-2 hours the coming weekend.
 > it sounds like you are "guiding" me toward using Crossbar.io. Do you
 > think Crossbar.io will work well given the requirement/scenario I've
 > described?
Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I'd definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won't be able to do that with the basic
router.
Cheers,
/Tobias
0 Likes

#14

I see. My view: Sending passwords over the wire, in particular ones for OS level accounts, even when over TLS would make me very very nervous;) Anyway, that is your decision of course.

The clean way to do that with WAMP then would probably be a new WAMP-BA (“basic auth”) scheme … doing a trivial password request exchange. Its simpler than WAMP-CRA, but not there …

···

Sent from Mobile (Google Nexus 5)

Am 29.11.2014 02:00 schrieb “Dave Barndt” dave....@gmail.com:

Hi Tobias,

After some more checking, it doesn’t seem possible to use WAMP-CRA with PAM, essentially since WAMP-CRA doesn’t pass the secret/key/password across the wire. PAM auth needs to validate the password against what’s stored on the (Linux) system (/etc/passwd or /etc/shadow).

So I’m still trying to understand the best way to proceed. All connections into our device will use TLS…

  1. wss:// - WAMP/WebSocket connections for all data exchanged
  1. https:// - Web site/single-page app (that opens a WAMP/WebSocket session for all data)

I have these working with the web server (NodeJS) and Crossbar.io, thanks to the latest version’s examples. Because we’re using TLS, it’s acceptable to use HTTP Basic Auth to gain access to the website, using PAM to authenticate the user/password specified.

What we want to know is the “correct” Crossbar/WAMP authentication scheme to accept a username/password and validate it against PAM as well. If WAMP-CRA doesn’t seem to fit the bill, I’m wondering if the WAMP cookie or ticket authentication methods might work. However, I’m having trouble finding Crossbar.io documentation/examples for these - I’ve only found examples in the basic router (AutobahnPython). Are they implemented in Crossbar.io? (You’ve otherwise convinced me to go with Crossbar.io as the router in the device…)

I hope my question/predicament makes sense. I’m grateful for all the answers you’ve provided.

Dave

On Wednesday, November 26, 2014 5:03:14 PM UTC-5, Tobias Oberstein wrote:

Hi Dave,

One quick question if I may ask (I’m sure there will be more). Is it

possible to do Linux PAM-style authentication for users connecting to

Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example

that a custom authentication procedure can be used, but I assume that’s

only specific to WAMP-CRA.

It might be possible to write a custom authenticator for WAMP-CRA that
plugs into the Linux PAM …

Thanks again for all the help/guidance,

Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:
 > Hi Tobias,
 >
 > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
 > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from
4 GB
 > to to 8 GB.
This is a quite beefy little machine. FWIW, it won't have any problems
running a full Crossbar.io.
 >
 > The reasons I was considering the basic WAMP built-in router were
 > essentially simplicity and ease of configuration:
 >
 > 1) I am implementing the device's WAMP endpoint in Python, and
saw that
 > Autobahn Python already included the basic router.
 > 2) It seemed as though I could just include the basic router startup
 > with the application session code; seemed simple with minimal config
 > required.
 >
 > Based on our discussion about realms, the device could
potentially be
 > part of several realms (one for just itself, one for all devices,
and
 > one for each geographical device grouping it could belong to -
probably
 > never more than a half dozen or so).
 >
 > I have nothing against using Crossbar.io in the device, assuming
setup
 > is straightforward enough. And since this is a new, WAMP2-based
design,
We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:
[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)
<[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)>
I have a Beagle Black in the office (didn't have time to touch it yet),
but I might find 1-2 hours the coming weekend.
 > it sounds like you are "guiding" me toward using Crossbar.io. Do you
 > think Crossbar.io will work well given the requirement/scenario I've
 > described?
Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I'd definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won't be able to do that with the basic
router.
Cheers,
/Tobias

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to autob...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/059970c0-29d2-4324-a264-ac8bde11e014%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#15

Hi Tobias,

I’m sorry this thread has become so long. Thank you for hanging in there with all my questions.

It sounds like “WAMP-BA” would be like the “ticket”-based auth in the basic WAMP router? (I assume from your response there is no “ticket”-based auth in Crossbar.io?)

If there is (currently?) no WAMP-BA/ticket auth scheme, Crossbar.io docs do seem to indicate it supports cookie-based auth, but the doc page for it is currently “TBD”. Would such a scheme use headers in the websocket “Upgrade” protocol message? Is cookie-based auth available in Crossbar.io but just not documented yet?

If neither WAMP-BA/ticket or cookie-based auth are available, I just want to be sure I understand - then is the only option in Crossbar.io to use WAMP-CRA (other than something Google Authenticate or Mozilla Persona, but I would prefer not to involve a third-party)? If so, then it seems I will need to maintain two sources of authentication (1. PAM/OS-level for browser’s HTTP Basic-Auth and 2. WAMP-CRA-level), correct? I really would like to have the browser and the WAMP/WS connections use the same “style” of auth, but that is seeming less and less possible. If you can enlighten me I’m very much all ears.

Thanks,

Dave

···

On Saturday, November 29, 2014 2:09:39 AM UTC-5, Tobias Oberstein wrote:

I see. My view: Sending passwords over the wire, in particular ones for OS level accounts, even when over TLS would make me very very nervous;) Anyway, that is your decision of course.

The clean way to do that with WAMP then would probably be a new WAMP-BA (“basic auth”) scheme … doing a trivial password request exchange. Its simpler than WAMP-CRA, but not there …

Sent from Mobile (Google Nexus 5)

Am 29.11.2014 02:00 schrieb “Dave Barndt” dave...@gmail.com:

Hi Tobias,

After some more checking, it doesn’t seem possible to use WAMP-CRA with PAM, essentially since WAMP-CRA doesn’t pass the secret/key/password across the wire. PAM auth needs to validate the password against what’s stored on the (Linux) system (/etc/passwd or /etc/shadow).

So I’m still trying to understand the best way to proceed. All connections into our device will use TLS…

  1. wss:// - WAMP/WebSocket connections for all data exchanged
  1. https:// - Web site/single-page app (that opens a WAMP/WebSocket session for all data)

I have these working with the web server (NodeJS) and Crossbar.io, thanks to the latest version’s examples. Because we’re using TLS, it’s acceptable to use HTTP Basic Auth to gain access to the website, using PAM to authenticate the user/password specified.

What we want to know is the “correct” Crossbar/WAMP authentication scheme to accept a username/password and validate it against PAM as well. If WAMP-CRA doesn’t seem to fit the bill, I’m wondering if the WAMP cookie or ticket authentication methods might work. However, I’m having trouble finding Crossbar.io documentation/examples for these - I’ve only found examples in the basic router (AutobahnPython). Are they implemented in Crossbar.io? (You’ve otherwise convinced me to go with Crossbar.io as the router in the device…)

I hope my question/predicament makes sense. I’m grateful for all the answers you’ve provided.

Dave

On Wednesday, November 26, 2014 5:03:14 PM UTC-5, Tobias Oberstein wrote:

Hi Dave,

One quick question if I may ask (I’m sure there will be more). Is it

possible to do Linux PAM-style authentication for users connecting to

Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example

that a custom authentication procedure can be used, but I assume that’s

only specific to WAMP-CRA.

It might be possible to write a custom authenticator for WAMP-CRA that
plugs into the Linux PAM …

Thanks again for all the help/guidance,

Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:
 > Hi Tobias,
 >
 > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
 > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from
4 GB
 > to to 8 GB.
This is a quite beefy little machine. FWIW, it won't have any problems
running a full Crossbar.io.
 >
 > The reasons I was considering the basic WAMP built-in router were
 > essentially simplicity and ease of configuration:
 >
 > 1) I am implementing the device's WAMP endpoint in Python, and
saw that
 > Autobahn Python already included the basic router.
 > 2) It seemed as though I could just include the basic router startup
 > with the application session code; seemed simple with minimal config
 > required.
 >
 > Based on our discussion about realms, the device could
potentially be
 > part of several realms (one for just itself, one for all devices,
and
 > one for each geographical device grouping it could belong to -
probably
 > never more than a half dozen or so).
 >
 > I have nothing against using Crossbar.io in the device, assuming
setup
 > is straightforward enough. And since this is a new, WAMP2-based
design,
We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:
[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)
<[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)>
I have a Beagle Black in the office (didn't have time to touch it yet),
but I might find 1-2 hours the coming weekend.
 > it sounds like you are "guiding" me toward using Crossbar.io. Do you
 > think Crossbar.io will work well given the requirement/scenario I've
 > described?
Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I'd definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won't be able to do that with the basic
router.
Cheers,
/Tobias

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/059970c0-29d2-4324-a264-ac8bde11e014%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#16

Hi Dave,

A WAMP-BA method would be extremely useful. As has been described, the ‘password’ is not ‘put on the wire’ from Autobahn’s point of view when a challenge is made with WAMP-CRA. However, you need to fetch the actual password to create the challenge for WAMP-CRA, so it is put on some wire, somewhere, and it is stored somewhere. If there was a WAMP-BA then you wouldn’t need to store the plain text password service side (like for unix password the salted result of a one way encryption is stored).

Anyway, I wanted to chime in with a +1 for WAMP-BA!

-g

···

On Saturday, November 29, 2014 10:53:27 AM UTC-6, Dave Barndt wrote:

Hi Tobias,

I’m sorry this thread has become so long. Thank you for hanging in there with all my questions.

It sounds like “WAMP-BA” would be like the “ticket”-based auth in the basic WAMP router? (I assume from your response there is no “ticket”-based auth in Crossbar.io?)

If there is (currently?) no WAMP-BA/ticket auth scheme, Crossbar.io docs do seem to indicate it supports cookie-based auth, but the doc page for it is currently “TBD”. Would such a scheme use headers in the websocket “Upgrade” protocol message? Is cookie-based auth available in Crossbar.io but just not documented yet?

If neither WAMP-BA/ticket or cookie-based auth are available, I just want to be sure I understand - then is the only option in Crossbar.io to use WAMP-CRA (other than something Google Authenticate or Mozilla Persona, but I would prefer not to involve a third-party)? If so, then it seems I will need to maintain two sources of authentication (1. PAM/OS-level for browser’s HTTP Basic-Auth and 2. WAMP-CRA-level), correct? I really would like to have the browser and the WAMP/WS connections use the same “style” of auth, but that is seeming less and less possible. If you can enlighten me I’m very much all ears.

Thanks,

Dave

On Saturday, November 29, 2014 2:09:39 AM UTC-5, Tobias Oberstein wrote:

I see. My view: Sending passwords over the wire, in particular ones for OS level accounts, even when over TLS would make me very very nervous;) Anyway, that is your decision of course.

The clean way to do that with WAMP then would probably be a new WAMP-BA (“basic auth”) scheme … doing a trivial password request exchange. Its simpler than WAMP-CRA, but not there …

Sent from Mobile (Google Nexus 5)

Am 29.11.2014 02:00 schrieb “Dave Barndt” dave...@gmail.com:

Hi Tobias,

After some more checking, it doesn’t seem possible to use WAMP-CRA with PAM, essentially since WAMP-CRA doesn’t pass the secret/key/password across the wire. PAM auth needs to validate the password against what’s stored on the (Linux) system (/etc/passwd or /etc/shadow).

So I’m still trying to understand the best way to proceed. All connections into our device will use TLS…

  1. wss:// - WAMP/WebSocket connections for all data exchanged
  1. https:// - Web site/single-page app (that opens a WAMP/WebSocket session for all data)

I have these working with the web server (NodeJS) and Crossbar.io, thanks to the latest version’s examples. Because we’re using TLS, it’s acceptable to use HTTP Basic Auth to gain access to the website, using PAM to authenticate the user/password specified.

What we want to know is the “correct” Crossbar/WAMP authentication scheme to accept a username/password and validate it against PAM as well. If WAMP-CRA doesn’t seem to fit the bill, I’m wondering if the WAMP cookie or ticket authentication methods might work. However, I’m having trouble finding Crossbar.io documentation/examples for these - I’ve only found examples in the basic router (AutobahnPython). Are they implemented in Crossbar.io? (You’ve otherwise convinced me to go with Crossbar.io as the router in the device…)

I hope my question/predicament makes sense. I’m grateful for all the answers you’ve provided.

Dave

On Wednesday, November 26, 2014 5:03:14 PM UTC-5, Tobias Oberstein wrote:

Hi Dave,

One quick question if I may ask (I’m sure there will be more). Is it

possible to do Linux PAM-style authentication for users connecting to

Crossbar.io/WAMP/WS? I see from the new WAMP-CRA Crossbar.io example

that a custom authentication procedure can be used, but I assume that’s

only specific to WAMP-CRA.

It might be possible to write a custom authenticator for WAMP-CRA that
plugs into the Linux PAM …

Thanks again for all the help/guidance,

Dave

On Tuesday, November 25, 2014 3:53:08 PM UTC-5, Tobias Oberstein wrote:

Am 24.11.2014 17:03, schrieb Dave Barndt:
 > Hi Tobias,
 >
 > The device has a BeagleBone Black as the CPU board - 1 GHz ARM
 > Cortex-A8, 512 MB RAM, and we're expanding the flash/storage from
4 GB
 > to to 8 GB.
This is a quite beefy little machine. FWIW, it won't have any problems
running a full Crossbar.io.
 >
 > The reasons I was considering the basic WAMP built-in router were
 > essentially simplicity and ease of configuration:
 >
 > 1) I am implementing the device's WAMP endpoint in Python, and
saw that
 > Autobahn Python already included the basic router.
 > 2) It seemed as though I could just include the basic router startup
 > with the application session code; seemed simple with minimal config
 > required.
 >
 > Based on our discussion about realms, the device could
potentially be
 > part of several realms (one for just itself, one for all devices,
and
 > one for each geographical device grouping it could belong to -
probably
 > never more than a half dozen or so).
 >
 > I have nothing against using Crossbar.io in the device, assuming
setup
 > is straightforward enough. And since this is a new, WAMP2-based
design,
We have a setup recipe for the Pi, which most likely will work on the
Beagle without modification:
[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)
<[http://crossbar.io/docs/Installation-on-the-RaspberryPi/](http://crossbar.io/docs/Installation-on-the-RaspberryPi/)>
I have a Beagle Black in the office (didn't have time to touch it yet),
but I might find 1-2 hours the coming weekend.
 > it sounds like you are "guiding" me toward using Crossbar.io. Do you
 > think Crossbar.io will work well given the requirement/scenario I've
 > described?
Yes, I think so. If you only needed a WAMP component running on your
device, AutobahnPython would be sufficient. In that case, Crossbar.io
still would add value by being able to host your component in a
container which is monitored by Crossbar.io, and in the near future
would be able to remotely manage that component. If you need a router,
then I'd definitely recommend checking out Crossbar.io. The added value
above the basic router included with AutobahnPython is already large,
and in the coming future, you will be able to federate / hook up the
locally running Crossbar.io router to a Crossbar.io instance running
e.g. in a data-center. You won't be able to do that with the basic
router.
Cheers,
/Tobias

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/059970c0-29d2-4324-a264-ac8bde11e014%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#17

Hi Dave,

A WAMP-BA method would be extremely useful. As has been described, the
'password' is not 'put on the wire' from Autobahn's point of view when a
challenge is made with WAMP-CRA. However, you need to fetch the actual
password to create the challenge for WAMP-CRA, so it is put on some
wire, somewhere, and it is stored somewhere. If there was a WAMP-BA

No. WAMP-CRA does _not_ require you to store the password in cleartext. Use salting.

then you wouldn't need to store the plain text password service side

As said, this isn't required.

(like for unix password the salted result of a one way encryption is
stored).

Anyway, I wanted to chime in with a +1 for WAMP-BA!

WAMP-BA is inherently less secure than WAMP-CRA. It transmits passwords over the wire: either in clear text or salted.

···

Am 29.11.2014 20:49, schrieb Greg Fausak:

0 Likes

#18

Thanks!

I completely missed that!

-g

···

On Sunday, November 30, 2014 9:31:47 AM UTC-6, Tobias Oberstein wrote:

Am 29.11.2014 20:49, schrieb Greg Fausak:

Hi Dave,

A WAMP-BA method would be extremely useful. As has been described, the

‘password’ is not ‘put on the wire’ from Autobahn’s point of view when a

challenge is made with WAMP-CRA. However, you need to fetch the actual

password to create the challenge for WAMP-CRA, so it is put on some

wire, somewhere, and it is stored somewhere. If there was a WAMP-BA

No. WAMP-CRA does not require you to store the password in cleartext.
Use salting.

then you wouldn’t need to store the plain text password service side

As said, this isn’t required.

(like for unix password the salted result of a one way encryption is

stored).

Anyway, I wanted to chime in with a +1 for WAMP-BA!

WAMP-BA is inherently less secure than WAMP-CRA. It transmits passwords
over the wire: either in clear text or salted.

0 Likes

#19

Hi guys,

Sorry, but just to ask / be clear about my previous question - and Tobias I do understand/share your concerns, which is why TLS is definitely involved - could/will there be WAMP-BA/ticket-style auth implemented in Crossbar.io? Could the scheme used in the basic router be migrated over, perhaps? I like how that ticket-style auth maps to roles like WAMP-CRA does, for example. I could try forking the code and implementing WAMP-BA, but I’d obviously be in at least slightly uncharted waters, involve touching all the Autobahn clients (right?), etc.

Otherwise, is cookie-based auth implemented in Crossbar.io, and are there any examples (client and server-side code)? If not, will there be? I think I could use this, but without an example/docs, I’m not 100% sure.

I do understand the points/benefits about WAMP-CRA, but in my use case it sounds like if I use WAMP-CRA, I’d have to maintain account info in two places. (The OS/PAM mechanism needs to remain because other existing processes in the device need to interact with the device web component, and it’s easier to synch some of that via accounts on the system.)

Thanks,

Dave

···

On Sunday, November 30, 2014 11:49:40 AM UTC-5, Greg Fausak wrote:

Thanks!

I completely missed that!

-g

On Sunday, November 30, 2014 9:31:47 AM UTC-6, Tobias Oberstein wrote:

Am 29.11.2014 20:49, schrieb Greg Fausak:

Hi Dave,

A WAMP-BA method would be extremely useful. As has been described, the

‘password’ is not ‘put on the wire’ from Autobahn’s point of view when a

challenge is made with WAMP-CRA. However, you need to fetch the actual

password to create the challenge for WAMP-CRA, so it is put on some

wire, somewhere, and it is stored somewhere. If there was a WAMP-BA

No. WAMP-CRA does not require you to store the password in cleartext.
Use salting.

then you wouldn’t need to store the plain text password service side

As said, this isn’t required.

(like for unix password the salted result of a one way encryption is

stored).

Anyway, I wanted to chime in with a +1 for WAMP-BA!

WAMP-BA is inherently less secure than WAMP-CRA. It transmits passwords
over the wire: either in clear text or salted.

0 Likes

#20

I tried adding SSL/TLS/WSS support to a Trollius-based Autobahn websocket client, and ran into a wall while trying to get it to verify a certificate with a custom authority. It looks like Trollius’s backport of SSLContext doesn’t validate certificates at all, which makes it pretty useless.

I think Twisted should be strongly recommended for users who want SSL support in Python 2.

···

On Saturday, November 22, 2014 4:24:43 PM UTC-6, Tobias Oberstein wrote:

Hi Dave,

Quick(?) question: Does the asyncio/trollius support in Autobahn Python

support TLS?

Yes. You will need to adjust

https://github.com/tavendo/AutobahnPython/blob/master/examples/asyncio/wamp/basic/server.py#L116

according to the TLS stuff described here

https://docs.python.org/3/library/asyncio-eventloop.html#creating-listening-connections

Similar for client.

I have a Autobahn Python WAMP-(basic-router)-over-WebSocket server in an

embedded device and I’m wondering how to make it secure/TLS. I’d been

using the asyncio/trollius package but the only example I see in

Autobahn Python is using twisted - do I need to switch to twisted in

order to do this? (The other alternative seems to be to upgrade to the

advanced WAMP router/Crossbar.io on the device, but I’m trying to keep

it “basic”/simple.)

Curious: what kind of device?

Thanks very much for any guidance - the examples have been helpful for

all sorts of Autobahn & WAMP learning/prototyping…!

Great! Yep, we have a lot examples (as I like working code myself to get
started quickly) … most of them for Twisted though since AutobahnPython
historically only supported Twisted.

Cheers,

/Tobias

Dave

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com

mailto:autob...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/autobahnws/4aa4ac0e-2081-4345-81d9-64ee2010d4b6%40googlegroups.com

<https://groups.google.com/d/msgid/autobahnws/4aa4ac0e-2081-4345-81d9-64ee2010d4b6%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

0 Likes