1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Re: Gateways and IOC UAG security: does username to relayed with request? |
From: | Ralph Lange <[email protected]> |
To: | "Martin L. Smith" <[email protected]>, Carl Schumann <[email protected]> |
Cc: | [email protected] |
Date: | Wed, 24 Mar 2010 13:32:44 -0400 |
Cheers, Ralph
Hi Carl,
I do this kind of thing extensively and quite routinely.
The user name making the request to the GW does not get passed through to the
other subnet. Instead the user that started the PV gateway process I believe is
the one that the IOC sees. I use a second layer of Access Security in the GW to
access PVs in the IOC.
In my gateway.starter file I have included in the command to start the GW
-gid 55 -uid 265 -server & This I believe will start the GW under the given gid
and uid which is what the IOC sees I think .... at least in my case. Then you
need to allow users (UAG) from the requesting subnet write access to the ASG in
the IOC ... at least this is how I do it.
Then in the IOC you must specifically allow write access from the GW uid in your
access security file.
I can send you an example if you would like.
Regards, Marty
Carl Schumann wrote:Hi,
We have an IOC that only permits writes from a subset of users. The IOC implements this security using UAG security and it works as expected for applications running on the IOC's subnet. Applications that are not on that IOC's subnet must access it through a gateway. These off the subnet applications can not make any settings even for users that are in the permitted subset. This has also been verified using cainfo.
Does the username of the user running the application make it through the gateway to the IOC? Our guess is no, because the gateway permissions are wide-open and writes to other IOC's without UAG security work fine. How should this kind of issue be handled? I know there is a -uid command line option but single uid will be correct for all users.
Thanks, Carl Schumann