auth¶
Module: auth
¶
Utilities for ZAP authentication.
To run authentication in a background thread, see zmq.auth.thread
.
For integration with the tornado eventloop, see zmq.auth.ioloop
.
For integration with the asyncio event loop, see zmq.auth.asyncio
.
New in version 14.1.
Authenticator
¶
-
class
zmq.auth.
Authenticator
(context=None, encoding='utf-8', log=None)¶ Implementation of ZAP authentication for zmq connections.
Note:
- libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see.
- until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied.
- GSSAPI requires no configuration.
-
allow
(*addresses)¶ Allow (whitelist) IP address(es).
Connections from addresses not in the whitelist will be rejected.
- For NULL, all clients from this address will be accepted.
- For real auth setups, they will be allowed to continue with authentication.
whitelist is mutually exclusive with blacklist.
-
configure_curve
(domain='*', location=None)¶ Configure CURVE authentication for a given domain.
CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys.
To cover all domains, use “*”.
You can add and remove certificates in that directory at any time.
To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location.
-
configure_gssapi
(domain='*', location=None)¶ Configure GSSAPI authentication
Currently this is a no-op because there is nothing to configure with GSSAPI.
-
configure_plain
(domain='*', passwords=None)¶ Configure PLAIN authentication for a given domain.
PLAIN authentication uses a plain-text password file. To cover all domains, use “*”. You can modify the password file at any time; it is reloaded automatically.
-
curve_user_id
(client_public_key)¶ Return the User-Id corresponding to a CURVE client’s public key
Default implementation uses the z85-encoding of the public key.
Override to define a custom mapping of public key : user-id
This is only called on successful authentication.
Parameters: client_public_key (bytes) – The client public key used for the given message Returns: user_id – The user ID as text Return type: unicode
-
deny
(*addresses)¶ Deny (blacklist) IP address(es).
Addresses not in the blacklist will be allowed to continue with authentication.
Blacklist is mutually exclusive with whitelist.
-
handle_zap_message
(msg)¶ Perform ZAP authentication
-
start
()¶ Create and bind the ZAP socket
-
stop
()¶ Close the ZAP socket
Functions¶
-
zmq.auth.
create_certificates
(key_dir, name, metadata=None)¶ Create zmq certificates.
Returns the file paths to the public and secret certificate files.
-
zmq.auth.
load_certificate
(filename)¶ Load public and secret key from a zmq certificate.
Returns (public_key, secret_key)
If the certificate file only contains the public key, secret_key will be None.
If there is no public key found in the file, ValueError will be raised.
-
zmq.auth.
load_certificates
(directory='.')¶ Load public keys from all certificates in a directory