Authorisation: Any plans?

[ickby]

It would be highly useful if one would be able to authorize the subscription to and publishing of events. There are some small steps taken in that direction, e.g. here, but this is not fully implemented yet. Are there any plans to do this in the near future?

go-rpc recently received a very simple and powerful authorisation mechanism by providing a function to the rpc server, this could be a good guideline. For pubsub a split would make sense for publish and subscribe.

[hsanjuan]

Pubsub supports signed messages and verification now, so you can just ignore "unauthorized" messages in your subscription (although I think you may still relay them).

[Stebalien]

You can also register a topic validator.

[ickby]

Thanks, both sounds like valid ideas.

[ickby]

I played with the validator suggestion. One problem with this is, that published messages are still posted to all subscribed nodes. This means it is impossible to build a set of trusted nodes in which messages are pivately published, as every untrusted node can simply register the topic and get all messages. You can only prevent receiving messages from untrusted nodes.

Is this kind of trusted node set something you guys want to support, or is this out of scope for the pub-sub implementation?

[vyzo]

I am a little confused by this. If a validator rejects a message, then it will not be published further.

[ickby]

I may get it wrong. But asume I want to publish a massage from my node. My validator must return true for my own node for the relevant topic, otherwise I cannot publish anything. This than means that each peer that has registered for that topic, and my node knows about, receives the message, even if I would like to restrict it to a certain set of peers.

[vyzo]

Yes, but they still have to validate the message to accept it. There is no mechanism to limit the peers that receive the message, other than using a different topic.

[ickby]

Thanks for the feedback. I can work around that for my needs, or worst case reimplement the floodsub router with this kind of functionality, it is easy enough to do so.