Experimental Physics and
Industrial Control System

Oscar Ibañez via Tech-talk <tech-talk at aps.anl.gov> · Wed, 21 Apr 2021 21:40:04 +0200

Hi Lewis,

Thank you for your interest in helping me.

The problem is this:

We are going to have several users using Phoebus. Different users have

different permissions to view and to edit, like any other system.

Sometimes a terminal is being used by a low-privileged user, and

sometimes is being used by a high-privileged one, so we need to change

from one user to another, BUT the requirement to meet is pretty clear:

the change has to be made without logging out from the current computer

session. It is not acceptable to log out from the computer session and

to log in using a different user account. Phoebus has to be a closed

ecosystem (please don't ask me why, because that is beyond me). If we

may log out from the computer current session and to log in using a

different account, the problem would be solved, because the OS security

system would be the responsible for solving this situation.

Another possible scene is when a high-privileged user prefers using a

low-privileged account, because he/she only wants to use the

high-privileged account when it is strictly necessary.

Finally, another third situation is when an user want to change

something but, first of all, he/she has to confirm the action using a

password, because only who knows that password may perform that action.

In this case the problem is not about different user accounts, but about

who knows the password.

At the present day, which of the explained situations will be necessary

is unknown. Maybe we are going to use all of them, or maybe only one. I

don't know. Anyway, I need to know how to solve them.

These are the reasons because I need to know how to deal with different

user accounts inside phoebus (I want to highlight it because it is very

important: inside) and how to manage passwords. In all cases, I need to

manage critical data related to security.

Best regards

Óscar

El 21/04/2021 a las 16:02, J. Lewis Muir escribió:

On 04/21, Oscar Ibañez via Tech-talk wrote:

Hi everybody again,

I have a new doubt about Phoebus. Now it is about security.

Is there any recomendable solution to implement username authentication in
Phoebus? I mean, some kind of solution to save critical information
(password hash?) that, then, it will be used to authenticate an user. I have
been reading some information about it, but always in the CSS BOY context.
The explanations that I have found some... well, over the top. I need
something simpler. I don't need Kerberos or something like that.

Best regards.

This sounds like the XY problem [1] to me; what problem are you trying
to solve?

Lewis

[1] https://en.wikipedia.org/wiki/XY_problem

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System