Access Control to a MIDAS experiment
- To restrict access to an experiment via the web to authorized users, the following strategies are recommended:
- Use the latest (post May 2015) version of mhttpd which uses OpenSSL to provide secure HTTPS connections via the Mongoose web server. This limits access by requiring a username and password. Access can be restricted to the web server by using the Access Control List (ACL).
- Implement a firewall and/or restrictions on off-site access. This kind of security can be provided by setting up Proxy Access to mhttpd .
Improvements to network security
By default, there has been no restriction for any user to connect locally or remotely to a given experiment. The Web Server itself mhttpd has recently (May 2015) been updated to providing secure HTTPS connections (see above). Development is in progress to other network security issues - see ). Changes to mserver will make the default behaviour to reject all external network connections. Some new ODB keys have been recently defined in the /Experiment/Security subtree that will be used by mserver to restrict access. External connections will have to be specifically enabled by the user using new ODB keys in the /Experiment ODB tree#Security subtree. The new keys are
The MIDAS system provides a means to setup access restrictions using the ODB in order to protect the experiment from accidental or unauthorized access. This will not stop malicious or determined hackers - see #Access Control to a MIDAS experiment
There are two levels of access restriction available each of which can be enabled independently:
- To restrict write access via the web by requiring a password before any parameter can be changed.
- To require a password before MIDAS clients can start running on the host.
The user can select either or both of these security features.
Note that other forms of ODB access control independent of these security features is also available:
- Write access can be restricted while a run is in progress (see Lock when running )
- Individual keys or subtrees in the experiment's ODB can be set "read only" with the odbedit command chmod.
- Custom web pages can provide experimenters with access to a subset of ODB keys necessary for the experiment. By hiding the ODB Page access button, the ODB can be protected from non-expert access via the web server.
How to Setup Web Access Restrictions
NOTE: these are not proof against malicious access. See #Access Control to a MIDAS experiment.
The ODB /Experiment/Security subtree can also be used to restrict access to the experiment via the Web. This subtree is automatically created (if not already present) when the odbedit command webpasswd is issued as follows:
C:\online>odbedit [local:Default:S]/>cd Experiment/ [local]/>webpasswd Password:<xxxx> Retype password:<xxxx>
If web access restriction is set up, the user will be requested to provide the "Web Password" when accessing the requested experiment in "Write Access" mode. The "Read Only Access" mode is still available to all users.
[local:bnqr:S]/Experiment>ls Security/ Web Password pon4@#@%SSDF2
How to Setup Client Access Restrictions
In order to restrict access to the experiment, a password mechanism needs to be defined. This is provided by the /Experiment/Security subtree in odb. This subtree is automatically created (if not already present) when the odbedit command passwd is issued as follows:
C:\online>odbedit [local:Default:S]/>cd Experiment/ [local]/>passwd Password:<xxxx> Retype password:<xxxx>
After running the odbedit command passwd, the /Experiment/Security subtree will be present.
Allowing specific hosts/clients access without password
While restricting access can make sense to deny access to outsider to a given experiment, it can be annoying for the people working directly at the back-end computer or for an automatic frontend reloading mechanism. To address this problem, specific hosts and clients can be exempt from having to supply a password before being granted full access.
Hostnames to be allowed full access to the ODB are listed in the /Experiment/Security/Allowed hosts subtree, e.g.
[local]/>cd "/Experiment/Security/Allowed hosts" [local]rhosts>create int myhost.domain [local]rhosts>
where <myHost.domain> is to be replaced by the full IP address of the host requesting full clearance, e.g "pierre.triumf.ca".
Programs (i.e. clients) to be allowed full access to the ODB (regardless of the node on which they are running) can be listed in the /Experiment/Security/Allowed programs subtree,
[local]/>cd "/Experiment/Security/Allowed programs" [local]:S>create int mstat [local]:S>