Tango Access Control in Waltz Webapp
|
|
---|---|
Dear Tango community, I have tried to set up TAC with the waltz webapp and I have run into an issue that I cannot figure out. What I have tried as a minimal example and for others to reproduce: - minimal tango system with DB, DB server, tango test and TAC servers on ubuntu 20.04 (also tried with more servers and dockerized on windows/mac, same result) - waltz app downloaded and built from https://github.com/waltz-controls/waltz - rest server 2.3 downloaded from https://github.com/hzg-wpi/rest-server/releases/download/rest-server-2.3/rest-server-2.3.zip - put tango.war (rest server) and waltz.war in tomcat/webapps and start tomcat server - everything works fine without access control and access control works outside webapp (jive/ simple PyTango client writing an attribute) - in the waltz webapp the user starting the tomcat server (and thus rest server) will be the one against which TAC is checking - TAC apparently works except for the DbInfo command, so e.g. http://localhost:8080/tango/rest/v11/hosts/tangobox;port=10000/devices/sys/tg_test/1/attributes/double_scalar/value?=1 will work/not work depending on the TAC configuration for the user/host starting tomcat. However, it gives an error "sys/database/2.command_inout(DbInfo) is not authorized for:\n${user} on tangobox" for all users no matter their access rights (also tried different hostnames and hostnames are also resolved). DbInfo command is in class property AllowedAccessCmd. As this one is needed to get the device tree it is pretty crucial. Perhaps someone has experience with using TAC correctly with the webapp. Best Karl |
|
|
---|---|
Hi Karl, Great you give Waltz a try! Greatly appreciated! From the steps you described you did everything right. Originally TAC validation happened per user request basis, meaning the username from the request (from Authorization HTTP header) was used to check against TAC. However this feature was removed in 2.0 as nobody really used TAC with rest server. Hope this clarifies. |
|
|
---|---|
Dear Igor, thanks for getting back. Do I understand correctly that TAC is entirely deprecated for rest server 2.x? It still seems to submit the user/hostname information to the TAC as the error messages (access for denied for: $user on $hostname) are returned. Best Karl |
|
|
---|---|
Yeah, rest server does not send anything to TAC since 2.0 However as it is uses JTango (Waltz-Controls fork) under the hood, JTango may use environment user to check against TAC when DeviceProxies are created. So you it is feasible to observer some level of interaction with TAC. But I would double check that looking into the source code |
|
|
---|---|
Alright thanks! |