EPICS Channel Access Gateway and Access Security Florian Feldbauer Helmholtz-Institut Mainz Johannes Gutenberg-Universit¨ at Mainz LV. Collaboration Meeting November 30, 2015 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 1/15
PANDA DCS Overview Each sub-detector has it’s own partition Separated from each other via CA-Gateways Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 2/15
PANDA DCS Partition DCS partition for one sub-detector FL CL Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 3/15
PANDA LMD DCS Partition E30 LAN Client WAN Client GbE, CA (global PANDA net) E20 CA Gateway Databases GbE, CA (LMD subnet) E10 ECH44A PC CANbus Ethernet (TCP/IP) EHS F205p-F Raspberry Pi Assembly area CANbus Ethernet (SNMP) RS485 RS232 TMCM142 Unistat 425W Raspberry Pi SoC @detector PWM SPI CANbus PL506 HiPace300 Stepper motor THMP nXDS15i MuPix Distance Florian Feldbauer (HIM/JGU) sensor LV. CM, 11/30/2015 CA Gateway 4/15
EPICS Channel Access SL CL FL Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 5/15
EPICS Channel Access SL CL FL Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 5/15
EPICS Channel Access Gateway Parts of CA Gateway: CA Access Security 1 PV list 2 Network configuration 3 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 6/15
CA Access Security ”No attempt has been made to protect against the sophisticated saboteur. Network and physical security methods must be used to limit access to the subnet on which the iocs reside.” 1 1 Application Developer’s Guide, c. 8, ”Access Security”, s. 8.3.2, ”Limitations” Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 7/15
CA Access Security - Features Access security protects IOC databases from unauthorized CA clients, based on Who? userid of the ca client Where? Hostid where user is logged on, No attempt to see if user is local or remotely logged on What? Individual fields of records are protected When? Access rules can contain input links/calculations Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 8/15
CA Access Security - Definition ASL Access Security Level 0 or 1 By default all fields are level 1 except VAL, CMD and RES Level 1 implies 0 ASG Access Security Group Group defining access rights for users/hosts UAG User Access Group List of user names User names may appear in more than one UAG HAG Host Access Group List of host names Host names may appear in more than one HAG Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 9/15
CA Access Security - Simple Example PandaLmd.access 1 UAG(uag) {user1,user2} HAG(hag) {host1,host2} ASG(DEFAULT) { RULE(1,READ) RULE(1,WRITE) { 6 UAG(uag) HAG(hag) } } Provide read access to anyone located anywhere write access to user1 and user2 if located at host1 or host2 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 10/15
PV List List of PV names available through gateway Combines PVs with access rules PV names can be given as pattern Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 11/15
PV List - Simple Example PandaLmd.pvlist ## DENY overwrite ALLOW EVALUATION ORDER ALLOW, DENY 4 ## Allow access by ASG DEFAULT to PVs which ## begin with "PANDA:LMD:" PANDA:LMD:.* ALLOW ## Deny access by ASG DEFAULT to PVs which 9 ## begin with "PANDA:LMD:" and end with "__" PANDA:LMD:.*__ DENY ## Allow access by ASG GatewayAdmin to gateway ## internal PVs 14 gateway:.*Flag ALLOW GatewayAdmin Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 12/15
Network Configuration For CA Gateway PC with two network interfaces is needed eth2 connected to local (sub-detector) subnet Running local DHCP/DNS server on eth2 (dnsmasq) eth1 connected to network of the institue If using firewall, ports 5064(udp/tcp), 5065(udp) must be open Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 13/15
Network Configuration Need to know IP address of eth1, broadcast address of eth2 ~ > /sbin/ifconfig [...] eth1 Link encap:Ethernet HWaddr 74:d4:35:ec:0c:47 inet addr:10.32.90.101 Bcast:10.32.90.255 Mask:255.255.255.0 5 [...] eth2 Link encap:Ethernet HWaddr 74:d4:35:ec:0c:45 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 [...] Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 14/15
Using the CA Gateway Starting the CA Gateway ~ > cd /opt/epics/gateway2_0_6_0 2 ~ > bin/linux-x86_64/gateway \ -log /home/panda/cagateway.log \ # Logfile -cip 192.168.1.255 \ # Client IP address -sip 10.32.90.101 \ # Server IP address -uid 1000 -gid 1000 \ # User id and group -server -no_cache \ # run as daemon 7 -home /opt/epics/gateway2_0_6_0 \ # Dir to search for config -pvlist PandaLmd.pvlist \ # File with PV list -access PandaLmd.access # Access Security definition Stopping the daemon ~ > cd /opt/epics/gateway2_0_6_0 ~ > ./gateway.killer Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 15/15
BACKUP Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 16/15
Installing the CA Gateway Dependencies: Epics base 3.14.12 (or newer) ~ > wget -q -O - https://launchpad.net/epics-gateway/trunk/2.0.6.0/+ download/gateway2_0_6_0.tar.gz | tar xzf - -C /opt/epics ~ > cd /opt/epics/gateway2_0_6_0 3 ~ > echo "EPICS_BASE = /opt/epics/base" > configure/RELEASE.local ~ > make -j4 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 17/15
Recommend
More recommend