zenoh icon indicating copy to clipboard operation
zenoh copied to clipboard
verified publisher icon eclipse-zenoh

Link-specific auth

Open freol35241 opened this issue 2 years ago • 0 comments

Describe the feature

Background and discussion in its entirety can be found in the discord channel: https://discord.com/channels/914168414178779197/1143517331339874354

Hi! Trying to wrap my head around how the auth feature works/should work in a specific setup:

Router A <-------------> Router B Router A is configured with transport/auth/usrpwd/dictionary_file:path pointing to a text file with a single line (lets say user:password) Router B by is configured with transport/auth/usrpwd/user:user and transport/auth/usrpwd/password:password and a connection endpoint specifying Router A

This works fine and Router B successfully connects to Router A.

Then, I want to add a client in the mix.

Router A <-------------> Router B <-----------> Client

Router A and Router B are configured as per above. Router B and the Client finds each other successfully through scouting but: If the client is configured without transport/auth/usrpwd/user:user and transport/auth/usrpwd/password:password it fails to connect to Router B with logs in Router B saying "Received InitSyn with no UsrPwd attachment on link: tcp/[::]:7447" If the client is configured with transport/auth/usrpwd/user:user and transport/auth/usrpwd/password:password it fails to connect to Router B with logs in Router B saying "Received OpenSyn with invalid user on link: tcp/[::]:7447"

I am a bit puzzled here 🙂 I was kind of expecting the Client to be able to connect to Router B without needing credentials and that Router B would act as a single-point "gateway" to Router A. Are my expectations wrong? How should the client be configured to allow connection to Router B?

Following up a bit on this:

The same behavior can be observed regardless of running the third part in the 2nd example above in "client" or "peer" mode. The only way I could make this work was to add the same dictionary_file configuration to Router B as is already configured for Router A and connect using those credentials from the Client to Router B.

This makes me believe that it is not possible to require authentication only for a single "leg" of a zenoh infrastructure. Effectively, by introducing a authentication requirement for one "leg", all other "legs" must also be configured for authentication. Is this correct?

I think it would be beneficial to be able to require authentication on specific links only.

freol35241 avatar Aug 28 '23 14:08 freol35241