| 2016-01-27 22:43:32 |
Andrew Johnson |
bug |
|
|
added bug |
| 2016-01-27 23:19:15 |
Andrew Johnson |
description |
Setting EPICS_CA_NAME_SERVERS causes a CA client to open a TCP connection to the given list of servers and to use those sockets for name resolution. If a server is actually an IOC, the same TCP circuit will be reused for all default priority data connections to that IOC, but the IOC is never actually sent the user or host names by the client, so they appear empty in the output from casr. The names are mainly used by the CA Access Security subsystem.
Setting EPICS_CA_NAME_SERVERS might thus a nice way to limit CA clients to connect to a small set of IOCs, but doing so doesn't permit access security to be used properly.
I tested this by starting a softIoc on my workstation tux, then running camonitor thusly:
tux$ EPICS_CA_NAME_SERVERS='tux' camonitor <pv-name>
Run 'casr 1' on the iocsh console to see the client's host and user-name.
Adding a '-p 10' argument to camonitor causes it to create a new TCP circuit for the data, which *does* have the user and host names. Doing this causes the name resolution TCP circuit to be shown as V4.0, so I wonder if whatever mechanism causes the minor version number to be sent might also be able to be used to send the user and host names. |
Setting EPICS_CA_NAME_SERVERS causes a CA client to open a TCP connection to the given list of servers and to use those sockets for name resolution. If a server is actually an IOC, the same TCP circuit will be reused for all default priority data connections to that IOC, but the IOC is never actually sent the user or host names by the client, so they appear empty in the output from casr. The names are mainly used by the CA Access Security subsystem.
Setting EPICS_CA_NAME_SERVERS might thus a nice way to limit CA clients to connect to a small set of IOCs, but doing so doesn't permit access security to be used properly.
I tested this by starting a softIoc on my workstation tux, then running camonitor thusly:
tux$ EPICS_CA_NAME_SERVERS='tux' camonitor <pv-name>
Run 'casr 2' on the iocsh console to see the client's host and user-name.
Adding a '-p 10' argument to camonitor causes it to create a new TCP circuit for the data, which *does* have the user and host names. Doing this causes the name resolution TCP circuit to be shown as V4.0, so I wonder if whatever mechanism causes the minor version number to be sent might also be able to be used to send the user and host names. |
|
| 2016-01-27 23:21:35 |
Andrew Johnson |
description |
Setting EPICS_CA_NAME_SERVERS causes a CA client to open a TCP connection to the given list of servers and to use those sockets for name resolution. If a server is actually an IOC, the same TCP circuit will be reused for all default priority data connections to that IOC, but the IOC is never actually sent the user or host names by the client, so they appear empty in the output from casr. The names are mainly used by the CA Access Security subsystem.
Setting EPICS_CA_NAME_SERVERS might thus a nice way to limit CA clients to connect to a small set of IOCs, but doing so doesn't permit access security to be used properly.
I tested this by starting a softIoc on my workstation tux, then running camonitor thusly:
tux$ EPICS_CA_NAME_SERVERS='tux' camonitor <pv-name>
Run 'casr 2' on the iocsh console to see the client's host and user-name.
Adding a '-p 10' argument to camonitor causes it to create a new TCP circuit for the data, which *does* have the user and host names. Doing this causes the name resolution TCP circuit to be shown as V4.0, so I wonder if whatever mechanism causes the minor version number to be sent might also be able to be used to send the user and host names. |
Setting EPICS_CA_NAME_SERVERS causes a CA client to open a TCP connection to the given list of servers and to use those sockets for name resolution. If a server is actually an IOC, the same TCP circuit will be reused for all default priority data connections to that IOC, but the IOC is never actually sent the user or host names by the client, so they appear empty in the output from casr. The names are mainly used by the CA Access Security subsystem.
Setting EPICS_CA_NAME_SERVERS might thus a nice way to limit CA clients to connect to a small set of IOCs, but doing so doesn't permit access security to be used properly.
I tested this by starting a softIoc on my workstation tux, then running camonitor thusly:
tux$ EPICS_CA_NAME_SERVERS='tux' camonitor <pv-name>
Run 'casr 1' on the iocsh console to see the client's host and user-name.
Adding a '-p 10' argument to camonitor causes it to create a new TCP circuit for the data, which *does* have the user and host names. Doing this causes the name resolution TCP circuit to be shown as V4.0, so I wonder if whatever mechanism causes the minor version number to be sent might also be able to be used to send the user and host names. |
|
| 2016-05-05 21:17:08 |
mdavidsaver |
epics-base: status |
New |
Confirmed |
|
| 2017-05-08 00:34:09 |
mdavidsaver |
epics-base: milestone |
|
3.16.1 |
|
| 2017-05-08 00:34:11 |
mdavidsaver |
epics-base: assignee |
|
mdavidsaver (mdavidsaver) |
|
| 2017-05-08 00:34:17 |
mdavidsaver |
epics-base: status |
Confirmed |
Fix Committed |
|
| 2017-06-02 20:42:10 |
Andrew Johnson |
epics-base: status |
Fix Committed |
Fix Released |
|
