Messages from clients can be allowed or denied using the trapperkeeper-authorization subsystem.
Messages from controller out-bound connections are authorized via a controller-allowlist
configuration option. See configuration for details.
PCP Message are mapped into ring requests, on the /pcp-broker/send
As a worked example, the envelope of a message used by the ping application would look something like this:
{:id "3790c4a2-dd71-41bf-bd6d-573779b38657"
:sender "pcp://"
:targets [ "pcp://" ]
:message_type ""}
This would be transformed into the following ring request:
{:request-method :post
:remote-addr ""
:uri "/pcp-broker/send"
:ssl-client-cert (X509-certificate-for "")
:form-params {}
:query-params {"message_type" ""
"sender" "pcp://"
"targets" "pcp://"
"destination_report" false}
:params {"message_type" ""
"sender" "pcp://"
"targets" "pcp://"
"destination_report" false}}
And then this can be matched by trapperkeeper-authorization with the following authorization.conf
# authorization.conf
authorization: {
version: 1
rules: [
name: "pxp command message"
match-request: {
type: path
path: "/pcp-broker/send"
query-params: {
message_type: [
allow: [
sort-order: 400
name: "pcp message"
match-request: {
type: path
path: "/pcp-broker/send"
allow-unauthenticated: true
sort-order: 420
For further notes on how to configure trapperkeeper-authorization see
Rejecting session association is one way of blocking nodes that have previously acquired a valid SSL certificate - or have those certificates for other purposes - from participating in PCP activity.
Session association requests can be matched by trapperkeeper-authorization with the following
# authorization.conf
authorization: {
version: 1
rules: [
name: "deny pcp association"
match-request: {
type: path
path: "/pcp-broker/send"
query-params: {
message_type: [
deny: [
sort-order: 400
name: "pcp message"
match-request: {
type: path
path: "/pcp-broker/send"
allow-unauthenticated: true
sort-order: 420
Not all nodes need or should have access to the full inventory of nodes connected to a PCP broker. Inventory requests are one way of acquiring that information; another functionally equivalent way to discover all connected nodes is a message using a wildcard to specify the target that requests a destination report.
Both types of requests can be matched by trapperkeeper-authorization with the following
# authorization.conf
authorization: {
version: 1
rules: [
name: "restrict pcp inventory"
match-request: {
type: path
path: "/pcp-broker/send"
query-params: {
message_type: [
allow: [
sort-order: 400
names: "restrict pcp multi-cast destination_report"
match-request: {
type: path
path: "/pcp-broker/send"
query-params: {
targets: [
destination_report: true
allow: [
sort-order: 400
name: "pcp message"
match-request: {
type: path
path: "/pcp-broker/send"
allow-unauthenticated: true
sort-order: 420