Stream Access Control

This article describes how to achieve per stream access control with Wrench. This allows you to set up arbitrary rules in your system which define which user or group of users is allowed to access which stream or group of streams.

This article assumes that you are familiar with the basics of Wrench installation and elementary setup. If not, then please check out this introductory article first and study the basics of how Wrench works.

So, if you have a basic Wrench setup, like the simple authentication example on GitHub, you are basically able to identify your stream players only.

The wrench.connect.authorization.sql is one of the most powerful client lifecycle SQL hook that Wrench offers. This is an arbitrary query that you can define in your Application.xml file and you can utilize all the information that is returned by the token resolver query (wrench.token.resolver.sql), i.e. the username (:username), the name of the stream that the user wants to play (:stream), and a flag that tells you if the user is trying to push a stream or play one (:encoder).

How to construct the authorization query?

Simplest full permission matrix case

The simplest use-case is that you have a table like this:

1 john live_football 1
2 john live_basketball 0
3 peter live_football 1
4 john live_basketball 1

Assuming the above table (wtb_stream_permission), you can put in a query like this:

SELECT ID FROM wtb_stream_permission WHERE USER = :username and STREAM = :stream and ALLOWED = 1

In this case your system is responsible for filling in this table and maintaining the stream permission matrix.

Group based control

If you have many users that have the same access pattern, you can define user groups, like football_fans, all_fans and use an extra table to define group membership and reduce the permission matrix to groups.

wtb_group_permission table:

1 football_fans live_football 1
2 football_fans live_basketball 0
3 all_fans live_football 1
4 all_fans live_basketball 1

wtb_group_membership table:

1 john football_fans
2 luke football_fans
3 peter all_fans

The related SQL query:

SELECT * FROM wtb_group_permission gp JOIN wtb_group_membership memb ON gp.GROUP = memb.GROUP and memb.USER = :username and gp.STREAM = :stream AND gp.ALLOWED = 1

This is obviously only the beginning of the story, if you have a complex system, you can go further and construct your own authorization query that takes into account any special circumstances you have, like banned users, inactive accounts, credit balance of the user, etc.