restrict device proxy creation

# 1 month ago
VigneshV	Dear developers, I have an application that for a certain tango Device, the device proxy can only be created within another tango Device. The said former tango device is a PLC controller, therefore I do not want persons on the network with tango knowledge to be creating proxies for it. I will give them another device (the latter) where the commands can be safely executed. Unfortunately the reasons for creating this structure is somewhat out of scope to discuss here, but I would like to know whether such type of restriction is possible in tango? It would also be useful if I can somehow know which client called a command on the server side, (for example, like accessing the request object in a HTTP request inside the server) Thanks in advance, and I hope the question is clear. Any other suggestions welcome, firewall is unfortunately not an option because I want to see the former device in Jive. I understand this is all contradictory but currently this is a requirement for me. Edited 1 month ago

# 1 month ago

Dear developers,

I have an application that for a certain tango Device, the device proxy can only be created within another tango Device.

The said former tango device is a PLC controller, therefore I do not want persons on the network with tango knowledge to be creating proxies for it.

I will give them another device (the latter) where the commands can be safely executed. Unfortunately the reasons for creating this structure is somewhat out of scope to discuss here, but I would like to know whether such type of restriction is possible in tango?

It would also be useful if I can somehow know which client called a command on the server side, (for example, like accessing the request object in a HTTP request inside the server)

Thanks in advance, and I hope the question is clear.

Any other suggestions welcome, firewall is unfortunately not an option because I want to see the former device in Jive. I understand this is all contradictory but currently this is a requirement for me.

Edited 1 month ago

# 1 month ago
Anton	Hi I don't see an obvious way for PyTango devices to get the client details on the server side, similar to the request object in HTTP. That sounds like it could be useful. Some layers of cppTango handling the requests have the client info, which is used to populate the blackbox, but it doesn't get passed on to PyTango. If I understand your setup, it is something like: PLC hardware -> PLC Tango Device (A) -> PLC Facade Tango Device (B) You only want a client from within B to access A. Other clients on the network are expected to access B, and if they try to access A, they may not perform any write actions/commands. One way is to use Tango's device locking functionality. Some more details in RFC 10. You make a DeviceProxy in device B and use it to lock access to Device A. Then only that proxy can makes changes. We assume that other users on the network won't try to lock or unlock the device. This mechanism makes it harder for users to cause trouble, but not impossible. Another option would be the Tango Access Control system. More info here. That requires more configuration, but may give you more control. I haven't used it. Similar to the firewall option, if you started the device server A only listening for connections from the local network, adding command line option "–host=127.0.0.1" (note: two dashes), then if device B is on the same host, it could connect to A. Jive will still show device A and B. Of course, you'll have to run Jive from the same host as device A if you want to read or write attributes or send commands. Probably that is not good enough for you to "see the former device in Jive". /Anton

# 1 month ago

Anton

Hi

I don't see an obvious way for PyTango devices to get the client details on the server side, similar to the request object in HTTP. That sounds like it could be useful. Some layers of cppTango handling the requests have the client info, which is used to populate the blackbox, but it doesn't get passed on to PyTango.

If I understand your setup, it is something like: PLC hardware -> PLC Tango Device (A) -> PLC Facade Tango Device (B)

You only want a client from within B to access A. Other clients on the network are expected to access B, and if they try to access A, they may not perform any write actions/commands.

One way is to use Tango's device locking functionality. Some more details in RFC 10. You make a DeviceProxy in device B and use it to lock access to Device A. Then only that proxy can makes changes. We assume that other users on the network won't try to lock or unlock the device. This mechanism makes it harder for users to cause trouble, but not impossible.

Another option would be the Tango Access Control system. More info here. That requires more configuration, but may give you more control. I haven't used it.

Similar to the firewall option, if you started the device server A only listening for connections from the local network, adding command line option "–host=127.0.0.1" (note: two dashes), then if device B is on the same host, it could connect to A. Jive will still show device A and B. Of course, you'll have to run Jive from the same host as device A if you want to read or write attributes or send commands. Probably that is not good enough for you to "see the former device in Jive".

/Anton

# 1 month ago
VigneshV	Thanks for this detailed answer, its very helpful. I will post any updates if I am NOT successful in using your ideas. Edited 1 month ago