Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
<== Date ==> <== Thread ==>

Subject: Re: CSS data browser to MySQL connection
From: "Kasemir, Kay via Tech-talk" <tech-talk@aps.anl.gov>
To: "J. Lewis Muir" <jlmuir@imca-cat.org>
Cc: techtalk <tech-talk@aps.anl.gov>
Date: Wed, 10 Oct 2018 13:41:48 +0000
Hi:

Don't worry, just read the complete "Chapter 6. Hierarchical Preferences",
http://cs-studio.sourceforge.net/docbook/ch06.html,
to the end where it talks about "Secure Storage of Passwords".

We prefer to save passwords in an encrypted file.
In many cases, the password for accessing a resource might also be something that the end user doesn't need to know.
For instance, reading archived data can use a password that's "built in" to the CSS installation in the control room

To install CSS, you enter the password once in the UI,
it's written to an encrypted file in the install location,
and then you make that install location read-only.

So now every user can look at archived data,
they cannot change the password,
they cannot actually see it.

That's the default, but you can set org.csstudio.auth/secure_storage_location=CONFIGURATION_LOCATION if you prefer to store the password in the user's location.
Then you email the password to every potential user so that they can enter it into their preference settings in case they want to look at archived data.
Or you put user/password info for a benign read-only account into the built-in plugin_customization.ini in clear text.

-Kay
________________________________________
From: J. Lewis Muir <jlmuir@imca-cat.org>
Sent: Wednesday, October 10, 2018 9:30 AM
To: Kasemir, Kay
Cc: Vishnu Patel; techtalk
Subject: Re: CSS data browser to MySQL connection

On 10/10, Kasemir, Kay via Tech-talk wrote:
> To avoid the "Cannot write password" error from the UI, check that the
> installation folder is writable.

Hi, Kay!

I haven't been following closely, but are you saying that the directory
where CSS Data Browser is installed needs to be writable?  If so,
that is seriously broken.  The CSS Data Browser should be able to be
installed into a system location, and that location should not be
writable by all users.  Any preferences should be saved to a preferences
location specific to the user that is writable by the user.  But maybe
I'm missing a key part of the discussion?

Lewis

References:
Re: CSS data browser to MySQL connection Kasemir, Kay via Tech-talk
Re: CSS data browser to MySQL connection Vishnu Patel
Re: CSS data browser to MySQL connection Kasemir, Kay via Tech-talk
Re: CSS data browser to MySQL connection J. Lewis Muir

Navigate by Date:
Prev: Re: CSS data browser to MySQL connection J. Lewis Muir
Next: Questions about install Lucock, Richard M
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
Navigate by Thread:
Prev: Re: CSS data browser to MySQL connection J. Lewis Muir
Next: Re: CSS data browser to MySQL connection Vishnu Patel
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
ANJ, 10 Oct 2018 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·