Grant API is not available for Posix C++ SDK, the REST API should be used instead.
PubNub provides builtin enterprise-grade security with fine-grained access control to all of your PubNub applications with PubNub Access Manager, Message Layer encryption with AES256, and Transport Layer Security with TLS and SSL. Before using this feature it must be enabled in the PubNub Admin Console.
PubNub Access Manager (PAM) extends PubNub's existing security framework by allowing developers to create and enforce secure access to channels throughout the PubNub Real Time Network. PAM provides the ability to enforce security at three different levels and in any combination of:
- Individual User
Access to a resource is granted or denied via the "authorization token" (aka auth key) currently set on the client.
PAM enables the developer to generate an arbitrary value for auth key using the method of his choice. This makes it possible to integrate a PubNub application with a pre-existing user authentication scheme or Security Authority.
As an example, OAuth and Facebook Connect both provide their own authentication token that could be re-used as a PAM auth key. Alternatively, a user's uuid (taken from a pre-existing DB) could also be re-used (or hashed) and used as the PAM auth key.
Your application would then use PAM grant or revoke functionality to enable or disable access to a particular channel based on the value of the connecting PubNub client's auth key.
The figure below demonstrates the use of a Security Authority leveraging PubNub Access Manager API to administer application privileges and delegate authorization tokens to users:
- Security Authority issues a PAM grant to allow privileges based on a custom authentication token.
- User requests authorization from Security Authority.
- Security Authority delegates auth_key to user.
- User sends credentials to PubNub and subscribes to channel.
- PubNub verifies user privileges and sends waiting messages.
PAM operates via a grant-only (whitelist) permission scheme, where the first grant (rule) found in the hiearcht "wins". Permissions are evaluated for both publish and subscribe based on this hierarchy:
- Subscribe key level - (access for all users on all channels)
- Channel level - (access granted for any user but only one specific channel)
- Channel & authorization key (access granted to specific user(s) on a given channel)
It is important to note that the more broad levels override the more granular levels -- this makes sense if you think about it as "the first matching rule wins". For example, privileges granted on an app's Subscription Key always take precedence over privileges granted on a channel or Authorization Key. Additionally, when Access Manager is first enabled there are no pre-existing permissions granted, so all read (subscribe) and write (publish) attempts to a channel will fail until explicitly granted (implicit whitelist).
Transport Layer Security (TLS) and it's predecessor Secure Socket Layer (SSL) are methods of encrypting messages while in transport across the Internet. Using PubNub TLS/SSL ensures that client messages are protected when being sent to and from the PubNub Real-Time network. This prevents intercepted messages from being viewed by unauthorized parties.
Just enable TLS/SSL at client instance initialization, and the PubNub API takes care of the rest.
With TLS/SSL your data is encrypted as it travels through the Internet, but it must be encrypted (and re-encrypted) as it passes through the PubNub servers and back out again. This is a limitation of TLS/SSL. To ensure the highest levels of message integrity TLS/SSL should be used in combination with PubNub Message Level Encryption with AES to guarantee end-to-end data security.
Using PubNub Access Manager (PAM) requires initializing your instance with the
If your client instance will only be performing PAM "consumer" functions, such as subscribing, history/storage calls, publishing, etc, then you will not need to initialize with the
ONLY if you intend on performing "administrative" PAM functions, such as granting and revoking.
PAM features are not available for Posix C++
Anyone with the
In order for the PAM consumer to operate correctly, an "Administrative" authority (normally a server) must first issue the appropriate permissions for a given PAM channel/auth token combination.
In order to perform these administrative functions, you must initialize with at least your subscribe and secret keys
All PAM operations occur at either:
- a global level (no auth key, and no channel/channel group is defined)
- a channel/channel group level (only a channel/channel group is defined)
- a channel/channel group and key level (where both the channel/channel group and key are defined).
If there is an error performing PAM operations, you may receive a 403 error. If you do, be sure you have set the correct
Right after initialization the auth key is not yet set, it's default value is an empty string, which means that auth key will not be used in any Pubnub transaction. You can assign your value for auth key using the
pubnub::context pn("my_pubkey", "my_subkey"); pn.set_auth("my_auth_key");
From this point on, all PubNub operations will make requests using
my_authkeyfor the auth key. If you’d like to not use the auth, just set it to an empty string again.
Enabling TLS/SSL is as easy as setting the
pubnub::useSSLbitmask in a call to
|Always set the |
pubnub::context pn("my_pubkey", "my_subkey"); std::string uuid("myUniqueUUID"); pn.set_uuid(uuid); pn.set_ssl_options(pubnub::useSSL | pubnub::reduceSecurityOnError|pubnub::ignoreSecureConnectionRequirement);
Once in production, its best practice to enable SSL.