Zenoh supports basic user-password authentication. Clients and peers can use user and password for authentication against a router or a peer. The configuration of credentials is done via a configuration file defining certain zenoh properties.
The required zenoh properties for basic user-password authentication for a client are user and password. A configuration file for a client would be:
When using such configuration, the client will use the provided user and password to authenticate against any peer or router.
Let’s assume the above configuration is then saved with the name client.conf.
Router or peer configuration
The required zenoh properties for basic user-password authentication for a client are user, password, user_password_dictionary. The user_password_dictionary zenoh property indicates the path of a text file containing the full list of authorized credentials for connections.
A configuration file for a router or peer would be:
user=routerusername password=routerpassword user_password_dictionary=credentials.conf
The authorized credentials text file would hence be:
Each line of the file represents the one signle authorized credential in the form of user:password. The authorized credentials text file can contain any number of lines.
When using such configuration, the router or peer will use the provided user and password to authenticate against any other peer or router. At the same time, it will use the file containing the authorized credentials to authenticate incoming conncetions.
Let’s assume that the above configurations are then saved with the name router.conf and credentials.conf.
Testing the user-password authentication
Let’s assume a scenario with one zenoh router and two clients connected to it: one publisher and one subscriber.
The first thing to do is to run the router passing its configuration, i.e. router.conf:
$ zenohd -c router.conf
Make sure that the path indicated in the user_password_dictionary property points to a valid credentials file.
Then, let’s start the subscriber in client mode passing its configuration, i.e. client.conf:
$ zn_sub --mode='client' -c client.conf
Lastly, let’s start the publisher in client mode passing its configuration, i.e. client.conf:
$ zn_pub --mode='client' -c client.conf
As it can be noticed, the same client.conf is used for zn_sub and zn_put. Both are using the same credentials and are authenticated accordingly by the router. Neverhteless, different configuration files and credentials could be used
Consider to not store clear text password in the configuration files. Before creating the configuration files, an hashing function should be used to hash the password. For example, let’s compute the hash for the client and router passwords:
$ echo clientpassword | sha256sum 92df0d4f39c218607e3200bf93ccac87a80cb910e811d84b286bebe0a8860724 $ echo routerpassword | sha256sum 2ce01a11893f276a4064f586f24b8f1868008e2e623f6c4e74ef381247e49df1
Therefore, the client.conf would become:
And the router.conf file would become:
user=routerusername password=2ce01a11893f276a4064f586f24b8f1868008e2e623f6c4e74ef381247e49df1 user_password_dictionary=credentials.conf
Finally, the credentials.conf file would become: