EPICS Re: Allowing localhost in access control files

Experimental Physics and Industrial Control System

1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 <2022> 2023 2024 2025	Index	1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 <2022> 2023 2024 2025
<== Date ==>		<== Thread ==>

1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 <2022> 2023 2024 2025

Index

1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 <2022> 2023 2024 2025

<== Date ==>

<== Thread ==>

Subject:

Re: Allowing localhost in access control files

From:

Ralph Lange via Tech-talk <tech-talk at aps.anl.gov>

To:

EPICS Tech Talk <tech-talk at aps.anl.gov>

Date:

Mon, 13 Jun 2022 17:13:07 +0200

On Mon, 13 Jun 2022 at 15:27, Simon Rose via Tech-talk <tech-talk at aps.anl.gov> wrote:

Is it possible to set up an access security file to allow only CA/PVA requests from the same host as the IOC? One option of course is to use asSetSubstitutions and some variable, but it seems like there should be a more intrinsic way of doing this.

I have attempted using the name “localhost”, asCheckClientIP set to 1, even using 127.0.0.1 as a member of the host access group, but none of these seemed to work.

My two main questions:

Is there a better or more canonical way of doing this?
Perhaps more importantly--particularly if we have to use environment variables and substitutions--is there some danger or pitfall about this that we should be careful about?

Actually...

If the only aim is to restrict access to clients on the local machine (e.g. for test environments to not affect other hosts), I would bind the IOC's server to localhost and not use AS.

Cheers,
~Ralph