Access control to the historian using local users


#1

Hi guys.

We’ve used access control to the historian in our openPDCs:

and it has worked well with Windows users.

However, recently we tried to do the same but with “local” users, created in the openPDC database (“Authentication: Database” in the openPDC Manager - System - Configure Security), but it failed. The authentication in the URL to get data from the historian, like this:

http://user:passwd@openpdc.ip:6152/historian/timeseriesdata/…/xml

does not work. Even if it is used like this:

http://openpdc.ip:6152/historian/timeseriesdata/…/xml

and using the window authentication of the browser, it doesn’t work.

Any hint about that?


EDIT: Copied from thread 549140 on CodePlex.

Below are a few easy steps to turn on security for the historian time-series data services. This uses the same role-based security as defined in the openPDC, i.e., you will control access to the web service using the openPDC Manager security configuration.

In the example configuration steps defined below as long as a user and/or group has a “role” defined in the openPDC security system (i.e., a Windows user and/or group has a defined role of Administrator, Editor or Viewer) then they can access the read portion of the web service. Only Administrator and Editor roles will have write access.

You can modify the IncludedResources value to further control security if needed, e.g., allow different access control to statistics and data historians. For example, setting the IncludedResources value to *:6152/historian/timeseriesdata/read/*=*; *:6152/historian/timeseriesdata/write/*=Administrator,Editor; would only turn on security for data historian but not statistics historian.

If you want any user or group that has a role defined in the openPDC to have access to read or writes in any of the historian web services, the value to insert into IncludedResources can be very simple: */historian/*=*.

Configuration steps:

  1. Stop openPDC service
  2. Edit openPDC.exe.config file (have to run editor with admin access) and make following changes:
    1. configuration\categorizedSettings\securityProvider\add name=“IncludedResources” - insert the following text into the value "/historian/timeseriesdata/read/=*; /historian/timeseriesdata/write/=Administrator,Editor; "
    2. configuration\categorizedSettings\ppaTimeSeriesDataService\add name=“SecurityPolicy” - set value to “GSF.ServiceModel.SecurityPolicy, GSF.ServiceModel”
  3. Save openPDC.exe.config
  4. Restart openPDC service

XML updates should look similar to the following:

<configuration>
  <categorizedSettings>
    <securityProvider>
      <add name="IncludedResources" value="*/historian/timeseriesdata/read/*=*; */historian/timeseriesdata/write/*=Administrator,Editor;  UpdateSettings,UpdateConfigFile=Special; Settings,Schedules,Help,Status,Version,Time,Health,List,Invoke,ListCommands,ListReports,GetReport=*; Processes,Start,ReloadCryptoCache,ReloadSettings,Reschedule,Unschedule,SaveSchedules,LoadSchedules,ResetHealthMonitor,Connect,Disconnect,Initialize,ReloadConfig,Authenticate,RefreshRoutes,TemporalSupport,LogEvent,GenerateReport,ReportingConfig=Administrator,Editor; *=Administrator"
        description="Semicolon delimited list of resources to be secured along with role names."
        encrypted="false" />
    </securityProvider>
    <ppaTimeSeriesDataService>
      <add name="SecurityPolicy" value="GSF.ServiceModel.SecurityPolicy, GSF.ServiceModel"
        description="Assembly qualified name of the authorization policy to be used for securing the web service."
        encrypted="false" />
    </ppaTimeSeriesDataService>
  </categorizedSettings>
</configuration>

Thanks.


#2

The web-services currently only support Windows authentication - however, adding parameters to the URL could be added to support database users. However, you would need an SSL style connection in order not to send password in clear text.


#3

Ok, Ritchie. Thanks.


#4

Guys,

We’ve used a .NET client (WebClient) in a C# software (developed by us) to access data (historic and current) from an openPDC with access control enabled, with Windows users. We mount URLs with user and password (http://user:passwd@openpdc.ip:6152/historian/timeseriesdata/…/json) into the C# software, and parse the json that comes from the openPDC. It has worked well.

Now, we are trying to do something similar, but using php and “curl” (Linux). In this cenario, the requests don’t work. It seems there are some authentication issue; it seems the openPDC webservice can’t authenticate the connection comming from the curl.

We are using the configurations posted in the old openPDC forum (link above).

Any ideia if we can change something in the openPDC configuration, or any hint to use with curl, or other client?

Thanks.


#5

My guess is that the user running the .NET software provided the “authentication” needed to access the web service and the user name and password passed into the URL was ignored.

In order to replicate authentication from a non-Windows environment, the HTTP implementation would need to negotiate the needed credentials.

I suggest something like the following: