Experimental Physics and Industrial Control System
|
Correct. This is the right way to achieve this behavior.
Background:
In Channel Access, user and host credentials are checked once, when the
connection is made.
The Gateway acts as a proxy: it does not create a new connection when an
outside client connects, but fans out the monitor updates from the IOC
to its outside clients. The IOC just sees one connection: from the
Gateway, with the Gateway's user and host.
That is why any access security based on the credentials of the outside
clients must be done in the Gateway. The Access Security mechanism and
its configuration are the same as on the IOC, but the regular
expressions in the Gateway's PV list make assigning ASGs to PVs usually
easier than on the IOC, as you don't have to repeat the ASG for every
record instance.
Cheers,
Ralph
On Wed 24 Mar 2010 12:50:58 Martin L. Smith wrote:
Hi Carl,
I do this kind of thing extensively and quite routinely.
The user name making the request to the GW does not get passed through
to the
other subnet. Instead the user that started the PV gateway process I
believe is
the one that the IOC sees. I use a second layer of Access Security in
the GW to
access PVs in the IOC.
In my gateway.starter file I have included in the command to start the GW
-gid 55 -uid 265 -server & This I believe will start the GW under the
given gid
and uid which is what the IOC sees I think .... at least in my case.
Then you
need to allow users (UAG) from the requesting subnet write access to
the ASG in
the IOC ... at least this is how I do it.
Then in the IOC you must specifically allow write access from the GW
uid in your
access security file.
I can send you an example if you would like.
Regards,
Marty
Carl Schumann wrote:
Hi,
We have an IOC that only permits writes from a subset of users. The
IOC implements this security using UAG security and it works as
expected for applications running on the IOC's subnet.
Applications that are not on that IOC's subnet must access it through
a gateway. These off the subnet applications can not make any
settings even for users that are in the permitted subset. This has
also been verified using cainfo.
Does the username of the user running the application make it through
the gateway to the IOC? Our guess is no, because the gateway
permissions are wide-open and writes to other IOC's without UAG
security work fine. How should this kind of issue be handled? I
know there is a -uid command line option but single uid will be
correct for all users.
Thanks,
Carl Schumann
- References:
- Gateways and IOC UAG security: does username to relayed with request? Carl Schumann
- Re: Gateways and IOC UAG security: does username to relayed with request? Martin L. Smith
- Navigate by Date:
- Prev:
Re: Gateways and IOC UAG security: does username to relayed with request? Martin L. Smith
- Next:
procServ softIOC server - V2.5.1 released Ralph Lange
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
<2010>
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Gateways and IOC UAG security: does username to relayed with request? Martin L. Smith
- Next:
procServ softIOC server - V2.5.1 released Ralph Lange
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
<2010>
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|
ANJ, 02 Sep 2010 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
·
Search
·
EPICS V4
·
IRMIS
·
Talk
·
Bugs
·
Documents
·
Links
·
Licensing
·
|