Closed dschick closed 6 years ago
This is a question about the Access Security (AS) feature of Channel Access, so a more appropriate forum would be writing to the core-talk list. For that reason, I will close the issue as invalid.
However: The Channel Access protocol (that its AS is obviously based on) only sends the user name and the unqualified host name when a client connects. So, the Gateway has no way of making AS use different rules depending on a domain. Also keep in mind that domains are an artificial logical construct layered on top of numerical IP addresses, which depends on the name resolution services (DNS, file based, other services). Using it for AS would create additional dependencies on potentially a lot of services and make AS a lot less robust.
The usual (and suggested) way to handle situations like yours is to run two gateways: one that is only accessible from the lab, and one that is only accessible from the external networks. The latter one can easily be made read-only (even on the command line) without adding additional complexity to AS.
A minor correction to Ralph's description, for the record: The CA client code calls gethostname()
to determine what hostname to send; if the client machine returns a FQDN as its hostname then that's what the CA server and the AS rules will see. Since both the hostname and username strings are completely controlled by the client OS and the CA library running on it, those names should only be trusted and used to determine authorization to the level that all the machines and users with the ability to run software on that subnet are trusted.
thanks for these detailed responses. I already guessed, that it might be a question more related to the AS of CA, but actually the hint of @ralphlange to simply create two gateways would solve my issue.
Hi,
I am running epics with a gateway server in a small lab with an internal network and the gateway server publishing the PVs into an external network as read-only.
Best
Daniel