Propagating Frontend-Authenticated User Identity to EPICS CA/PVA Clients

[André Favoto via Tech-talk <tech-talk at aps.anl.gov>]

Hi all,

TL;DR: CA allows explicit setting of CA_PROTO_CLIENT_NAME from client side (e.g. caproto).

For PVAccess with "ca" as authentication method, is there a clear interface to do the same? Could maybe p4p support it?

Context:

In web-based applications, users are often authenticated using the organization's credentials (LDAP, SSO, etc.) before

interacting with a shared backend service. Besides the access control from the application itself, the IOC Access

Security rules should also apply per authenticated user, especially to avoid duplication of authorization logic in the

frontend application.

However, when a backend service mediates all EPICS operations, the username seen by Access Security is the backend

server's OS user. This was already noted by ORNL PVWS as something that can break ASG enforcement.

The suggested fix is to also enforce the RBAC for the IOCs in the frontend application - which I am trying to avoid, since

the source of credentials of the FE and the AS rules is the same.

The question: with PVA and the "ca" authentication plugin, is there a supported way to propagate the already

authenticated user identity from a frontend or service layer to the IOC, so that AS rules are evaluated correctly per

user? 

Suggestions of other perspectives for looking into this are welcome.

Thanks!