On Thursday, January 21, 1999 8:32 AM, Ned Arnold [SMTP:[email protected]] wrote:
>
> > I want to implement EPICS security to place control restrictions based upon
> > the physical location (control room, experimental areas) of our OPI's,
> > which are all X-terminals 'served' from a single host (Sun). All of the
> > CA clients are run on our host, and Channel Access (security) does not
> > 'know' where the medm displays are located.
> >
> > Is there a way I can configure the access security configuration file to use
> > the names/IP address of the individual X-terminals ?
> >
> >
>
>
> No. I was told <since Channel Access Security was born> that to implement this
> feature would make it difficult to port to other operating systems. I was
> encouraged to do this with "prudent system administration" rather than
> channel access security. I never figured out how to do that either.
>
This does appear to be somewhat messy to implement without impacting portability
(and the one or to other things that I have to get done at the moment).
The CA client library would need to know that X is in use and then ask it where
the server is (since the DISPLAY variable isn't always defined), but if the X
window system is running over DECNET then perhaps we have a problem ;-)
Also, it is possible that one process is talking to more than one X servers.
Perhaps in this situation the host location would be listed as "unknown". We
would of course need to be very careful about directly linking any of the code
in EPICS base with X (and therefore preventing sites from running without it).
A similar problem occurs when cau is run from an rlogin, telnet, rsh, ssh ...
session. When we did the first cut at access control, I looked briefly at a solution for
remote login and this appeared to be difficult to implement under UNIX in a portable
fashion. We could however create a bit of code for each UNIX system. The default
behavior for new operating systems would be to not implement this, but the proper
OS specific code could always be added latter as the need and inclination arises.
If we choose to pursue this then the first step would be to move the part of CA that
determines a client's host name to libCom so that there are independent versions of
the routine for each operating system. This would also make the code easier to
maintain by persons that are not familiar with CA, but are familiar with the local
operating system.
Jeff
- Navigate by Date:
- Prev:
Re: Slow booting ioc Garrett D. Rinehart
- Next:
RE: Slow booting ioc Jeff Hill
- Index:
1994
1995
1996
1997
1998
<1999>
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: X-terminals & EPICS security Gary Carr
- Next:
Slow booting ioc Garrett D. Rinehart
- Index:
1994
1995
1996
1997
1998
<1999>
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
| 
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·