Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020 
<== Date ==> <== Thread ==>

Subject: Re: Other Access Security implementations?
From: Miroslav Pavleski <miroslav.pavleski@cosylab.com>
To: EPICS Tech Talk <tech-talk@aps.anl.gov>
Date: Tue, 13 Feb 2018 15:22:38 +0100
Hi Ralph

Something like that was tried at ESS in the scope of the RBAC development. The IOC would receive the hostname/user and verify the access based on some configuration on a central server. Eventually we gave up on that idea for a few reasons: - IOCs would need to have access to a central server, which is likely to be out of their reach (different subnets, maybe even physically separate network, firewalls etc.)
- We didn’t want to mess up with the access security module too much
- We didn’t want to check for permissions on the fly, because that would be an additional overhead every time someone makes a caget. In the end it was decided that the central services will provide mechanisms to configure the permissions and store that information locally (into a database). There is a generator which is used to generate the .asf files from the database for some input parameters. When an IOC is deployed, the deploy mechanism asks the service to generate the asf file and deploys it together with the rest of the IOC code/db. I don’t know how far ESS came with the IOC deploy, but the permission configuration tool and .asf generator work.

Please take into account that when designing the ESS RBAC design goal was to prevent accidental PV writes by less-qualified staff, not to prevent malicious adversaries on the network.

With Regards,
Miroslav


On 2/13/2018 9:36 AM, Ralph Lange wrote:
Dear all,

Has anyone ever replaced the existing file-based Access Security configuration with an implementation that goes to a server, either to read the complete configuration, or to check user/group/host whenever a client connects?

Thanks,
~Ralph



References:
Other Access Security implementations? Ralph Lange

Navigate by Date:
Prev: Specs EBE-4 EPICS interface gary.yendell
Next: Re: NSLS-II Debian Repository in 2018 J. Lewis Muir
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020 
Navigate by Thread:
Prev: Other Access Security implementations? Ralph Lange
Next: Re: Other Access Security implementations? Konrad, Martin
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020 
ANJ, 15 Feb 2018 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·