EPICS Home

Experimental Physics and Industrial Control System


 
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>
Subject: Re: Other Access Security implementations?
From: Miroslav Pavleski <[email protected]>
To: EPICS Tech Talk <[email protected]>
Date: Tue, 13 Feb 2018 15:22:38 +0100 
Hi Ralph
Something like that was tried at ESS in the scope of the RBAC development. The IOC would receive the hostname/user and verify the access based on some configuration on a central server. Eventually we gave up on that idea for a few reasons: - IOCs would need to have access to a central server, which is likely to be out of their reach (different subnets, maybe even physically separate network, firewalls etc.) 
- We didn’t want to mess up with the access security module too much
- We didn’t want to check for permissions on the fly, because that would be an additional overhead every time someone makes a caget. In the end it was decided that the central services will provide mechanisms to configure the permissions and store that information locally (into a database). There is a generator which is used to generate the .asf files from the database for some input parameters. When an IOC is deployed, the deploy mechanism asks the service to generate the asf file and deploys it together with the rest of the IOC code/db. I don’t know how far ESS came with the IOC deploy, but the permission configuration tool and .asf generator work.
Please take into account that when designing the ESS RBAC design goal was to prevent accidental PV writes by less-qualified staff, not to prevent malicious adversaries on the network. 

With Regards,
Miroslav


On 2/13/2018 9:36 AM, Ralph Lange wrote:

Dear all,
Has anyone ever replaced the existing file-based Access Security configuration with an implementation that goes to a server, either to read the complete configuration, or to check user/group/host whenever a client connects? 

Thanks,
~Ralph
References:
Other Access Security implementations? Ralph Lange
Navigate by Date:
Prev: Specs EBE-4 EPICS interface gary.yendell
Next: Re: NSLS-II Debian Repository in 2018 J. Lewis Muir
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Other Access Security implementations? Ralph Lange
Next: Re: Other Access Security implementations? Konrad, Martin
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  2020  2021  2022  2023  2024