Experimental Physics and Industrial Control System
|
Subject: |
Re: Other Access Security implementations? |
From: |
Miroslav Pavleski <[email protected]> |
To: |
EPICS Tech Talk <[email protected]> |
Date: |
Tue, 13 Feb 2018 15:22:38 +0100 |
Hi Ralph
Something like that was tried at ESS in the scope of the RBAC
development. The IOC would receive the hostname/user and verify the
access based on some configuration on a central server. Eventually we
gave up on that idea for a few reasons:
- IOCs would need to have access to a central server, which is likely to
be out of their reach (different subnets, maybe even physically separate
network, firewalls etc.)
- We didn’t want to mess up with the access security module too much
- We didn’t want to check for permissions on the fly, because that would
be an additional overhead every time someone makes a caget.
In the end it was decided that the central services will provide
mechanisms to configure the permissions and store that information
locally (into a database). There is a generator which is used to
generate the .asf files from the database for some input parameters.
When an IOC is deployed, the deploy mechanism asks the service to
generate the asf file and deploys it together with the rest of the IOC
code/db.
I don’t know how far ESS came with the IOC deploy, but the permission
configuration tool and .asf generator work.
Please take into account that when designing the ESS RBAC design goal
was to prevent accidental PV writes by less-qualified staff, not to
prevent malicious adversaries on the network.
With Regards,
Miroslav
On 2/13/2018 9:36 AM, Ralph Lange wrote:
Dear all,
Has anyone ever replaced the existing file-based Access Security
configuration with an implementation that goes to a server, either to
read the complete configuration, or to check user/group/host whenever
a client connects?
Thanks,
~Ralph
- References:
- Other Access Security implementations? Ralph Lange
- Navigate by Date:
- Prev:
Specs EBE-4 EPICS interface gary.yendell
- Next:
Re: NSLS-II Debian Repository in 2018 J. Lewis Muir
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
<2018>
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Other Access Security implementations? Ralph Lange
- Next:
Re: Other Access Security implementations? Konrad, Martin
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
<2018>
2019
2020
2021
2022
2023
2024
|
ANJ, 15 Feb 2018 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
·
Search
·
EPICS V4
·
IRMIS
·
Talk
·
Bugs
·
Documents
·
Links
·
Licensing
·
|