search

epics-extensions / ca-gateway

Channel Access PV Gateway
http://www.aps.anl.gov/epics/extensions/gateway/
Other
17 stars 17 forks source link

Access rules based on (sub-)domain #17

Closed dschick closed 6 years ago

dschick commented 6 years ago

Hi,

I am running epics with a gateway server in a small lab with an internal network and the gateway server publishing the PVs into an external network as read-only.

  1. I was wondering if one can write an access-rule such, that I can allow write access depending on the domain of the hosts? Right now I need to put all the hostnames of the clients manually into the *.access file to allow writing PVs
  2. I do have a laptop which is sometimes located in the lab (internal network) and sometimes it is in the office (external network). How can I verify, that I have read/write access when the laptop is in the internal lab network and that it has only read access when it is in the external network? I would again realize that with its different domain names ...

Best

Daniel

ralphlange commented 6 years ago

This is a question about the Access Security (AS) feature of Channel Access, so a more appropriate forum would be writing to the core-talk list. For that reason, I will close the issue as invalid.

However: The Channel Access protocol (that its AS is obviously based on) only sends the user name and the unqualified host name when a client connects. So, the Gateway has no way of making AS use different rules depending on a domain. Also keep in mind that domains are an artificial logical construct layered on top of numerical IP addresses, which depends on the name resolution services (DNS, file based, other services). Using it for AS would create additional dependencies on potentially a lot of services and make AS a lot less robust.

The usual (and suggested) way to handle situations like yours is to run two gateways: one that is only accessible from the lab, and one that is only accessible from the external networks. The latter one can easily be made read-only (even on the command line) without adding additional complexity to AS.

anjohnson commented 6 years ago

A minor correction to Ralph's description, for the record: The CA client code calls gethostname() to determine what hostname to send; if the client machine returns a FQDN as its hostname then that's what the CA server and the AS rules will see. Since both the hostname and username strings are completely controlled by the client OS and the CA library running on it, those names should only be trusted and used to determine authorization to the level that all the machines and users with the ability to run software on that subnet are trusted.

dschick commented 6 years ago

thanks for these detailed responses. I already guessed, that it might be a question more related to the AS of CA, but actually the hint of @ralphlange to simply create two gateways would solve my issue.