Hey :-)
It seems like talking about txAMQP+txThrift is all the rage on this mailing list nowadays (and I'm not surprised, it's awesome!), so here's some more :-) If you don't care about GPS tracking and/or don't know what 'Breadcrumb' is, you might want to skip this paragraph: For people who are waiting on things to happen for Breadcrumb, come visit #breadcrumb on irc.freenode.net. Yes, it's being delayed a lot, but that's because the vast majority of work isn't happening in Breadcrumb itself, but in the Twisted GPS interfaces. Development *is* happening, it's just not happening in the Breadcrumb repositories. Because the existing twisted.protocols.gps provides a terrible API, the new code is being put into twisted (and the old api is being deprecated). So development hasn't stopped, but it's just Twisted development for now instead of Breadcrumb development ;-) I'm porting non-asynchronous non-Thrift code to txThrift/txAMQP, and I'm wondering about authentication mechanisms. Previously, I did authentication with pre-shared SSL certificates. This was possible because I connected directly to the servers instead of the message broker in the middle. I can open SSL connections to the RabbitMQ server, and the RabbitMQ server can open SSL connections to my backends (I think) through stunnel. This means that my backends (AMQP consumers) never see SSL/TLSed data that comes from my AMQP producers -- so I can't get their client certs. I think this means I need some form of authentication in the Thrift message itself. Assuming that someone is already doing this, how does yours work? There are a number of possibilities. I think that having RabbitMQ mess with the message contents would probably be a bad idea (not to mention impossible). Since stunnel is doing the actual heavy lifting, it probably isn't realistic to put information about the client's SSL certificate in the message. One suggestion by JP Calderone in the #twisted channel on freenode is to use onioning, eg encrypt the *Thrift* message with GPG or SSL or whatever and then not care about the AMQP part being unencrypted. I'm not sure how this would work with txThrift, but Twisted's SSL implementation apparently has recently (in the last few days) acquired memory bios support, so this is _technically_ feasible. Another suggestion (I'm still not sure how serious it was) was to use Divmod Vertex, to do the actual transport up to the AMQP server (or even use Vertex to bypass AMQP entirely) but that doesn't sound like an awesome idea because unlike AMQP Divmod Vertex doesn't work with any languages besides Python yet (in fact, it doesn't *reeaaallly* work with Python either). Having Thrift support umpteen languages and having AMQP (language agnostic) is kind of pointless when one step in the chain ties you to Python... thanks in advance for your thoughts and insights :-) Laurens
