Unable to read from tag provider when Tag Read Permissions configured on provider

IgnitionModuleDevelopmentCommunity / IgnitionNode-RED

Adds support for Node-RED

Apache License 2.0

30 stars 7 forks source link

Unable to read from tag provider when Tag Read Permissions configured on provider #41

Closed TacknoC closed 2 months ago

TacknoC commented 2 months ago

While attempting to read data from a (Edge) tag provider which has Tag Read/Write Permissions configured, I receive the following error message from the debug output:

JSON error: SyntaxError: Unexpected token < in JSON at position 0

Regarding the ambiguous JSON error: Perhaps displaying the 'responseString' in the event of an exception on JSON.parse(responseString) would aide in troubleshooting the error received?

Regarding the tag provider permissions:

Is it reasonable / possible to add an impersonation role to the Ignition module for each Node API Token config? If so, it would add the ability to select which tags (and providers) the Node-RED interface would have access to, both read & write.
If not, perhaps 'SecurityContext.systemContext())' would be a workaround?

iatraviscox commented 2 months ago

Do you have any errors in Ignition logs?

TacknoC commented 2 months ago

I realized I didn't have the latest module versions installed* on the problem gateway. After updating to the latest Node-RED versions...

On a development Ignition gateway, and with NO read / write permissions on a tag provider (DEV), when I browse the [DEV]/ tag path, I receive a good response, and Ignition logs reports:

Browsing [DEV]

When I add 'Authenticated' to Tag Read & Tag Write permissions of the [DEV] realtime provider (then, for good measure, restart Ignition), and attempt another tag browse (no change in Node RED config), I receive the following in the debug output of the browse node:

"Error executing command: Tag path '[DEV]' doesn't exist"

Additionally, I receive the following in Ignition logs:

Error Executing Command java.lang.Exception: Tag path '[DEV]' doesn't exist

Changing the tag permissions back to None results in successful tag read once more.

iatraviscox commented 2 months ago

Currently, the module uses SecurityContext.emptyContext() for reads, writes and browsing. It is possible to add impersonation roles, zones, security levels to the API token. Is that would you would like to see?

TacknoC commented 2 months ago

I'm unsure if a different solution already exists to this problem (edit: a client accessing tags via a module), or if this solution would work with all IDPs & user sources, etc. For example, selecting a user source and passing credentials might closer resemble OPC UA client access. That thought aside...

Yes. Impersonation security levels, roles, zones would satisfy my meeds for the foreseeable future, and certainly limits the risk that the isSystem flag could expose.

iatraviscox commented 2 months ago

Ok, I added this feature in 1.5.17:

https://github.com/IgnitionModuleDevelopmentCommunity/IgnitionNode-RED/releases/tag/1.5.17

You can configure the security levels, roles, and zones on the API token that will be used to create a security context. If nothing is supplied, an empty context is created (like before).

TacknoC commented 2 months ago

After configuring security roles, I can confirm that this appears to work perfectly! Thank you!!!