Difference between revisions of "/Experiment ODB tree"

From MidasWiki
Jump to navigation Jump to search
Line 183: Line 183:
 
[https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/Options.md?at=develop Mongoose Configuration Options].
 
[https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/Options.md?at=develop Mongoose Configuration Options].
  
 +
 +
<br>
 +
--------
 +
<br>
 +
 +
=== <span style="color: purple;">''midas server port''</span>  ===
 +
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 +
* '''Type:''' DWORD
 +
* '''Default:'''  1175
 +
</div>
 +
This key (added Aug 2015) will be for use with the [[mserver]] version (in git branch "feature/rpcsecurity" &  still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment.
 +
 +
This key contains the default value of the port used by [[mserver]]. This is set to MIDAS_TCP_PORT (1175 in midas.h).  A different port can be used by starting [[mserver]] with the -p argument.
  
 
<br>
 
<br>
Line 428: Line 441:
 
</div>
 
</div>
  
This optional subtree  in the [[#top|/Experiment tree]] is created when the '''[[odbedit]]''' commands  <span style="color:saddlebrown; font-style:bold; ">passwd</span> or  <span style="color:saddlebrown; font-style:bold; ">webpasswd</span> are issued. It enables a user to set up security features. See '''[[Security]]'''
+
This optional subtree  in the [[#top|/Experiment tree]] is created when the '''[[odbedit]]''' commands  <span style="color:saddlebrown; font-style:bold; ">passwd</span> or  <span style="color:saddlebrown; font-style:bold; ">webpasswd</span> are issued. It enables a user to set up security features. See '''[[Security]]'''.
 
<br>
 
<br>
 
--------
 
--------
Line 443: Line 456:
 
contains the encrypted password. This Key is created when the {{Odbedit cmd|cmd=passwd}} is issued. See '''[[security]]''' for details.
 
contains the encrypted password. This Key is created when the {{Odbedit cmd|cmd=passwd}} is issued. See '''[[security]]''' for details.
  
;Note
+
;Notes
Do not set this key except through the {{Odbedit cmd|cmd=passwd}}. Setting an unencrypted password will lock you out of the ODB unless {{Utility|name=odbedit}} is listed as an [[#Allowed programs|allowed program]].
+
<ol><li> Do not set this key except through the {{Odbedit cmd|cmd=passwd}}. Setting an unencrypted password will lock you out of the ODB unless {{Utility|name=odbedit}} is listed as an [[#Allowed programs|allowed program]].</li>
 
+
<li>This security feature is not proof against malicious access. See [[Security]] for details.
 +
</ol>
 
<br>
 
<br>
 
--------
 
--------
Line 457: Line 471:
 
This subtree in the  [[#Security|/Experiment/Security subtree]] is created when the {{Odbedit cmd|cmd=passwd}} is issued. When created, this subtree is empty.
 
This subtree in the  [[#Security|/Experiment/Security subtree]] is created when the {{Odbedit cmd|cmd=passwd}} is issued. When created, this subtree is empty.
 
Optionally, it may contain  user-defined names of remote hosts allowed to have free access (i.e. without password) to the current experiment. See '''[[Security #Allowed Hosts|allowed hosts]]'''.  
 
Optionally, it may contain  user-defined names of remote hosts allowed to have free access (i.e. without password) to the current experiment. See '''[[Security #Allowed Hosts|allowed hosts]]'''.  
 +
 +
;Note
 +
* This security feature is not proof against malicious access. See [[Security]] for details.
  
 
<br>
 
<br>
Line 469: Line 486:
 
This subtree  in the  [[#Security|/Experiment/Security subtree]] is created when the {{Odbedit cmd|cmd=passwd}} is issued. When created, this subtree is empty.
 
This subtree  in the  [[#Security|/Experiment/Security subtree]] is created when the {{Odbedit cmd|cmd=passwd}} is issued. When created, this subtree is empty.
 
Optionally, it may  contain user-defined names of clients allowed to have free access (i.e. without password) to the current experiment. See '''[[Security #Allowed clients|allowed clients]]'''.
 
Optionally, it may  contain user-defined names of clients allowed to have free access (i.e. without password) to the current experiment. See '''[[Security #Allowed clients|allowed clients]]'''.
 +
 +
;Note
 +
* This security feature is not proof against malicious access. See [[Security]] for details.
  
 
<br>
 
<br>
Line 484: Line 504:
  
 
If this key is present, the user will be requested to provide the "Web Password" when accessing the requested experiment in "Write Access" mode. The "Read Only Access" mode is still available (without a password) to all users.
 
If this key is present, the user will be requested to provide the "Web Password" when accessing the requested experiment in "Write Access" mode. The "Read Only Access" mode is still available (without a password) to all users.
 +
 +
;Note
 +
* This security feature is not proof against malicious access. See [[Security]] for details.
 +
 +
 +
<br>
 +
--------
 +
<br>
 +
 +
 +
==== <span style="color: purple;">''Disable RPC hosts check''</span> ====
 +
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 +
* '''Type:''' BOOL
 +
* '''Default:'''  "n"
 +
</div>
 +
This key has been added for the use of the [[mserver]] version (in git branch "feature/rpcsecurity" &  still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment.
 +
 +
If MIDAS clients have to connect from random hosts (i.e. dynamically assigned random DHCP addresses), one can disable the host name checks by
 +
setting this key to "yes". This configuration is insecure and should only be done on a private network behind a firewall. See [https://midas.triumf.ca/elog/Midas/1080].
 +
 +
<br>
 +
--------
 +
<br>
 +
 +
==== <span style="color: purple;">''Enable non-localhost RPC''</span> ====
 +
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 +
* '''Type:''' BOOL
 +
* '''Default:'''  "n"
 +
</div>
 +
This key has been added for the use of the [[mserver]] version (in git branch "feature/rpcsecurity" &  still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment. The default value of this key will be "n", denying access by external network connections.  If running an experiment that requires external network connections, this key must be set to "y" and the key [[#RPC hosts|RPC hosts]] must be filled. See [https://midas.triumf.ca/elog/Midas/1080].
 +
 +
<br>
 +
--------
 +
<br>
 +
 +
==== <span style="color: purple;">''Rpc hosts''</span> ====
 +
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 +
* '''Type:''' STRING
 +
* '''Default:''' 
 +
</div>
 +
This key has been added for the use of the [[mserver]] version (in git branch "feature/rpcsecurity" &  still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment.
 +
Currently, the default access control list is empty, meaning that everybody is permitted access.  The default will be changed to "localhost", which will reject all external connections, even when permitted by [[#Enable external RPC connections|Enable external RPC connections]].  The user will be required to enter the names of all machines that will run midas clients in
 +
this key. See [https://midas.triumf.ca/elog/Midas/1080].
 +
 +
<br>
 +
--------
 +
<br>
 +
 +
==== <span style="color: purple;">''Rpc ports/<frontend-client-name>''</span> ====
 +
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 +
* '''Type:''' STRING
 +
* '''Default:''' 
 +
</div>
 +
 +
This key will be for use with the [[mserver]] version (in git branch "feature/rpcsecurity" &  still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment.
 +
This key has been added to fix the TCP port numbers for MIDAS programs, e.g.
 +
{{Odbpath|path=/Experiment/Security/Rpc ports/fename}} = (int)5555
 +
 +
Once a remote [[Frontend Operation|frontend]] is bound to a fixed port, appropriate openings can be made in the firewall, etc. Default port number value
 +
will be 0 meaning "use random port", same as now. See [https://midas.triumf.ca/elog/Midas/1079].
  
  
Line 490: Line 570:
 
<br>
 
<br>
  
[[Category:ODB Tree]] [[Category:Experiment]]
+
[[Category:ODB Tree]] [[Category:Experiment]] [[Category:Security]]

Revision as of 17:13, 11 August 2015


Links

Creating the /Experiment tree

The /Experiment ODB tree is created automatically when the ODB is first created.

Purpose

The /Experiment ODB tree contains information relevent to the experiment. Other optional keys are added by mhttpd or by the user to customize their experiment.


Examples

When initially created, the /Experiment tree contains the following keys:

[local:midas:S]/>ls -lrt /experiment
Key name                        Type    #Val  Size  Last Opn Mode Value
---------------------------------------------------------------------------
Experiment                      DIR
   Name                        STRING  1     32    14s  0   RWD  midas
   Buffer sizes                DIR
       SYSMSG                  DWORD   1     4     11h  0   RWD  100000


The following example shows the /Experiment tree for a typical experiment :

[local:midas:R]/>ls -lrt /experiment
Key name                        Type    #Val  Size  Last Opn Mode Value
---------------------------------------------------------------------------
Experiment                      DIR
   Name                        STRING  1     32    7s   0   RWD  midas
   Buffer sizes                DIR
       SYSMSG                  DWORD   1     4     23h  0   RWD  100000
       SYSTEM                  DWORD   1     4     23h  0   RWD  640000000
       BUF0                    DWORD   1     4     23h  0   RWD  80000000
       BUF1                    DWORD   1     4     23h  0   RWD  80000000
       .......    other user-defined buffers not shown  
   CSS File                    STRING  1     1024  9h   0   RWD  mhttpd.css
   JS File                     STRING  1     1024  9h   0   RWD  mhttpd.js
   MAX_EVENT_SIZE              DWORD   1     4     23h  0   RWD  4194304
   Menu Buttons                STRING  1     1000  9h   0   RWD  Status, ODB, Messages, ELog, Alarms, Programs, History, Sequencer, Config, Help
   Start-Stop Buttons          BOOL    1     4     8h   0   RWD  y
   Pause-Resume Buttons        BOOL    1     4     8h   0   RWD  n
 
   Transition debug flag       INT     1     4     23h  0   RWD  0
   Transition connect timeout  INT     1     4     23h  0   RWD  10000
   Transition timeout          INT     1     4     23h  0   RWD  120000
   edit on start               DIR
       experiment number               DWORD   1     4     2h   0   RWD  9499
       field                           STRING  1     32    2h   0   RWD  19000.2(0.0)G
       comment-> /Experiment/run parameters/comment
                                       STRING  1     80    2h   0   RWD  Testing with low beam
       Number of channels -> /Run Parameters/number of channels
                                       DWORD   1     4     2h   0   RWD  20
       Write Data -> /Logger/Write data
                                       BOOL    1     4     2h   0   RWD  n
       Number of cycles -> /Equipment/FIFO_acq/frontend/hardware/num cycles
                                       DWORD   1     4     2h   0   RWD  0
   Parameter Comments          DIR                   
       field                           STRING  1     32    >99d 0   RWD  Entered in Tesla unit
       Num cycles                      STRING  1     80    >99d 0   RWD  Stop run after num cycles is reached. Enter 0 to disable (free running)
   Run Parameters              DIR
       Comment                         STRING  1     80    2h   0   RWD  Testing with low beam
       Run Description                 STRING  1     256   7h   0   RWD  Sequencer Tests
       Number of channels              DWORD   1     4     2h   0   RWD  20
   Lock when running           DIR
       Num channels -> /Run Parameters/number of channels
                                       DWORD   1     4     2h   0   RWD  20
   edit on sequence            DIR
       title                           STRING  1     128   2h   0   RWD  none
       experiment number               DWORD   1     4     2h   0   RWD  9438
       experimenter                    STRING  1     32    2h   0   RWD  gls
       sample                          STRING  1     36    2h   0   RWD  NA
       run description -> /Experiment/run parameters/run description
                                       STRING  1     256   7h   0   RWD  Sequencer Tests
       Write Data -> /Logger/Write data
                                       BOOL    1     4     2h   0   RWD  n
       Number of cycles -> /Equipment/FIFO_acq/frontend/hardware/num cycles
                                       DWORD   1     4     2h   0   RWD  0
   Prevent start on alarms     BOOL    1     4     22h  0   RWD  n
   Prevent start on required   BOOL    1     4     22h  0   RWD  n
   Status items                DIR
       Experiment Name -> /Experiment/Name
                               STRING  1     32    7s   0   RWD  midas
   Start-Stop Buttons          BOOL    1     4     5h   0   RWD  y
   Pause-Resume Buttons        BOOL    1     4     5h   0   RWD  n



Keys in /Experiment tree

The keys in the ODB /Experiment tree are described in the following sections.

Name

  • Type: STRING
  • Default:

This key in the /Experiment tree contains the name of the experiment. Filled automatically when the ODB is created.




Buffer Sizes subtree

  • Type: DIR

This key in the /Experiment tree is a subtree to contain the sizes of the Midas Buffers for the experiment. Created with default values. The sizes can be changed to optimize the memory usage. See Event Buffer Size(s) for details. Other user-defined buffers may be present (e.g. for event filtering).



SYSMSG

  • Type: DWORD
  • Default: 100000 Bytes

This key in the /Experiment/Buffer Sizes subtree contains the size of SYSMSG buffer. This buffer is used for MIDAS messages. The default value of this key is defined by MESSAGE_BUFFER_SIZE in $MIDASSYS/include/msystem.h .




SYSTEM

  • Type: DWORD
  • Default: 32MiBytes

This key in the /Experiment/Buffer Sizes subtree contains the size of SYSTEM buffer. The default value of this key is DEFAULT_BUFFER_SIZE = 32 MiBytes in midas.h. The actual SYSTEM buffer size is set by this key. See Event Buffer for details.



MAX_EVENT_SIZE

  • Type: DWORD
  • Default: 4MiBytes

This key in the /Experiment tree specifies the maximum event size that can be acquired. The default value of this key is DEFAULT_MAX_EVENT_SIZE = 4 MiBytes in midas.h. The actual maximum event size is set by this key. (See also Event Buffer).





Mongoose listening_port

  • Type: STRING
  • Default: "8080r,8443s"

This key in the /Experiment tree is created when mhttpd is run for the first time. It contains the listening ports for the secure HTTPS/SSL server (Mongoose). The ports are the HTTP port (default 8080) which is to be redirected to the secure HTTPS port (default 8443). If ports are supplied with the "--mg" option when starting mhttpd, their values will overwrite the default values stored in this key. See mhttpd for details.





Mongoose access_control_list

  • Type: STRING
  • Default: ""

This key in the /Experiment tree is created when mhttpd is run for the first time. It contains the access control list (ACL) for the Mongoose web server. By default, this key is empty and there is no access control. The format of the ACL is described under access_control_list at Mongoose Configuration Options.





midas server port

  • Type: DWORD
  • Default: 1175

This key (added Aug 2015) will be for use with the mserver version (in git branch "feature/rpcsecurity" & still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment.

This key contains the default value of the port used by mserver. This is set to MIDAS_TCP_PORT (1175 in midas.h). A different port can be used by starting mserver with the -p argument.





CSS File

  • Type: STRING
  • Default: "mhttpd.css"

This key in the /Experiment tree contains the name of the MIDAS stylesheet file for the use of those writing Custom Web Pages.






JS File

  • Type: STRING
  • Default: "mhttpd.js"

This key in the /Experiment tree contains the name of the Javascript library file for the use of those writing Custom Web Pages.






Menu Buttons

  • Type: STRING
  • Default: "Status, ODB, Messages, ELog, Alarms, Programs, History, Sequencer, Chat, Config, Help"

This key in the /Experiment tree is added automatically by mhttpd to allow the Menu buttons that appear on the Main Status Page to be customized by removing unnecessary buttons or by changing their order.

The Start/Stop/Pause/Resume buttons are not now included in Menu Buttons.


Note
If MSCB support is built into MIDAS, the default will also include the MSCB Menu button (see MSCB Page).




Start-Stop Buttons

  • Type: BOOL
  • Default: y

This key in the /Experiment tree is added automatically by mhttpd to allow the user to suppress the Start or Stop buttons from appearing on the Status Page. By default, Start/Stop buttons are shown.





Pause-Resume Buttons

  • Type: BOOL
  • Default: n

This key in the /Experiment tree is added automatically by mhttpd. By default the Pause/Resume menu buttons do not appear on the Status Page. The user can allow these buttons to appear during the run by setting this key to "y".





Transition debug flag

  • Type: INT
  • Default: 0

This key in the /Experiment tree contains a flag that, if set to 1, causes messages reporting transition progress to be output.




Transition connect timeout

  • Type: INT
  • Default: 10000

This key in the /Experiment tree contains the value of timeout for remote rpc connect




Transition timeout

  • Type: INT
  • Default: 120000

This key in the /Experiment tree contains the value of timeout for transition



Prevent start on alarms

  • Type: BOOL
  • Default: "n"

This key in the /Experiment tree if set true will prevent the run from starting if an alarm is true, i.e. the run start procedure will fail if an alarm has been Triggered for a client, provided a valid alarms class has been entered in the client's Alarm class key.





Prevent start on required program

  • Type: BOOL
  • Default: "n"

This key in the /Experiment tree if set true ("y") will prevent the run from starting if one of the required clients is not running. A client is flagged as "required" by setting the ODB key Required to "y".





Edit on Sequence subtree

  • Type: DIR

This optional subdirectory in the /Experiment tree may contain user-defined parameters which will be displayed for editing at the start of each Sequence. See Edit-on-Sequence Parameters for details.




Edit on Start subtree

  • Type: DIR

This optional subdirectory in the /Experiment tree may contain user-defined parameters which will be displayed for editing at the beginning of each run. See Edit-on-start Parameters for details.




Lock when running subtree

  • Type: DIR

This optional subdirectory in the /Experiment tree contains user-defined links to ODB parameters to prevent them being changed when the run is in progress. See Lock when running for details.




Parameter Comments subtree

  • Type: DIR

This optional subdirectory in the /Experiment tree may contain user-defined parameter comments that give more information about the Edit-on-start Parameters.




Run Parameters subtree

  • Type: DIR

This optional subdirectory in the /Experiment tree may contain user-defined parameters or parameter(s) with reserved names (i.e. Run Description).




Run Description

  • Type: STRING
  • Default:

This ODB key is used by the Sequencer RUNDESCRIPTION command to store the run description.





<parameter name>

  • Type: STRING
  • Default:

The user may define parameters here e.g. for linking as Edit-on-start or Edit-on-Sequence parameters.





Status items subtree

  • Type: DIR

This key in the /Experiment tree is a subtree which by default contains a link to the experiment name. Any links or keys created by the user in this optional subdirectory will be displayed on the mhttpd main status page.




Security subtree

  • Type: DIR

This optional subtree in the /Experiment tree is created when the odbedit commands passwd or webpasswd are issued. It enables a user to set up security features. See Security.




Password

  • Type: STRING
  • Default:

This key in the /Experiment/Security subtree contains the encrypted password. This Key is created when the odbedit command passwd is issued. See security for details.

Notes
  1. Do not set this key except through the odbedit command passwd. Setting an unencrypted password will lock you out of the ODB unless odbedit is listed as an allowed program.
  2. This security feature is not proof against malicious access. See Security for details.




Allowed hosts subtree

  • Type: DIR

This subtree in the /Experiment/Security subtree is created when the odbedit command passwd is issued. When created, this subtree is empty. Optionally, it may contain user-defined names of remote hosts allowed to have free access (i.e. without password) to the current experiment. See allowed hosts.

Note
  • This security feature is not proof against malicious access. See Security for details.




Allowed programs subtree

  • Type: DIR

This subtree in the /Experiment/Security subtree is created when the odbedit command passwd is issued. When created, this subtree is empty. Optionally, it may contain user-defined names of clients allowed to have free access (i.e. without password) to the current experiment. See allowed clients.

Note
  • This security feature is not proof against malicious access. See Security for details.




Web Password

  • Type: STRING
  • Default:

If web access restriction has been set up, this key in the /Experiment/Security subtree will contain an encrypted password for Web server access. This key is created by using the odbedit command webpasswd.

If this key is present, the user will be requested to provide the "Web Password" when accessing the requested experiment in "Write Access" mode. The "Read Only Access" mode is still available (without a password) to all users.

Note
  • This security feature is not proof against malicious access. See Security for details.






Disable RPC hosts check

  • Type: BOOL
  • Default: "n"

This key has been added for the use of the mserver version (in git branch "feature/rpcsecurity" & still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment.

If MIDAS clients have to connect from random hosts (i.e. dynamically assigned random DHCP addresses), one can disable the host name checks by setting this key to "yes". This configuration is insecure and should only be done on a private network behind a firewall. See [1].




Enable non-localhost RPC

  • Type: BOOL
  • Default: "n"

This key has been added for the use of the mserver version (in git branch "feature/rpcsecurity" & still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment. The default value of this key will be "n", denying access by external network connections. If running an experiment that requires external network connections, this key must be set to "y" and the key RPC hosts must be filled. See [2].




Rpc hosts

  • Type: STRING
  • Default:

This key has been added for the use of the mserver version (in git branch "feature/rpcsecurity" & still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment. Currently, the default access control list is empty, meaning that everybody is permitted access. The default will be changed to "localhost", which will reject all external connections, even when permitted by Enable external RPC connections. The user will be required to enter the names of all machines that will run midas clients in this key. See [3].




Rpc ports/<frontend-client-name>

  • Type: STRING
  • Default:

This key will be for use with the mserver version (in git branch "feature/rpcsecurity" & still being tested as of Aug 2015) that aims to improve network security for the MIDAS experiment. This key has been added to fix the TCP port numbers for MIDAS programs, e.g.

/Experiment/Security/Rpc ports/fename = (int)5555

Once a remote frontend is bound to a fixed port, appropriate openings can be made in the firewall, etc. Default port number value will be 0 meaning "use random port", same as now. See [4].