auth.ioloop#

Module: auth.ioloop#

ZAP Authenticator integrated with the tornado IOLoop.

New in version 14.1.

IOLoopAuthenticator#

class zmq.auth.ioloop.IOLoopAuthenticator(context: Optional[zmq.sugar.context.Context] = None, encoding: str = 'utf-8', log: Optional[Any] = None, io_loop: Optional[tornado.ioloop.IOLoop] = None)#

ZAP authentication for use in the tornado IOLoop

allow(*addresses: str) None#

Allow (whitelist) IP address(es).

Connections from addresses not in the whitelist will be rejected.

  • For NULL, all clients from this address will be accepted.

  • For real auth setups, they will be allowed to continue with authentication.

whitelist is mutually exclusive with blacklist.

allow_any: bool#
blacklist: Set[str]#
certs: Dict[str, Dict[bytes, Any]]#
configure_curve(domain: str = '*', location: Union[str, os.PathLike] = '.') None#

Configure CURVE authentication for a given domain.

CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys.

To cover all domains, use “*”.

You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator’s state

To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location.

configure_curve_callback(domain: str = '*', credentials_provider: Optional[Any] = None) None#

Configure CURVE authentication for a given domain.

CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:

class CredentialsProvider(object):

    def __init__(self):
        ...e.g. db connection

    def callback(self, domain, key):
        valid = ...lookup key and/or domain in db
        if valid:
            logging.info('Authorizing: {0}, {1}'.format(domain, key))
            return True
        else:
            logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key))
            return False

To cover all domains, use “*”.

To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location.

configure_gssapi(domain: str = '*', location: Optional[str] = None) None#

Configure GSSAPI authentication

Currently this is a no-op because there is nothing to configure with GSSAPI.

configure_plain(domain: str = '*', passwords: Optional[Dict[str, str]] = None) None#

Configure PLAIN authentication for a given domain.

PLAIN authentication uses a plain-text password file. To cover all domains, use “*”. You can modify the password file at any time; it is reloaded automatically.

context: zmq.Context#
credentials_providers: Dict[str, Any]#
curve_user_id(client_public_key: bytes) str#

Return the User-Id corresponding to a CURVE client’s public key

Default implementation uses the z85-encoding of the public key.

Override to define a custom mapping of public key : user-id

This is only called on successful authentication.

Parameters

client_public_key (bytes) – The client public key used for the given message

Returns

user_id – The user ID as text

Return type

unicode

deny(*addresses: str) None#

Deny (blacklist) IP address(es).

Addresses not in the blacklist will be allowed to continue with authentication.

Blacklist is mutually exclusive with whitelist.

encoding: str#
handle_zap_message(msg: List[bytes])#

Perform ZAP authentication

io_loop: tornado.ioloop.IOLoop#
log: Any#
passwords: Dict[str, Dict[str, str]]#
start() None#

Start ZAP authentication

stop()#

Stop ZAP authentication

whitelist: Set[str]#
zap_socket: zmq.Socket#
zap_stream: zmq.eventloop.zmqstream.ZMQStream#