Hi guys.
We’ve used access control to the historian in our openPDCs:
https://openpdc.codeplex.com/discussions/549140#post1257969
and it has worked well with Windows users.
However, recently we tried to do the same but with “local” users, created in the openPDC database (“Authentication: Database” in the openPDC Manager - System - Configure Security), but it failed. The authentication in the URL to get data from the historian, like this:
http://user:passwd@openpdc.ip:6152/historian/timeseriesdata/.........../xml
does not work. Even if it is used like this:
http://openpdc.ip:6152/historian/timeseriesdata/.........../xml
and using the window authentication of the browser, it doesn’t work.
Any hint about that?
EDIT: Copied from thread 549140 on CodePlex.
Below are a few easy steps to turn on security for the historian time-series data services. This uses the same role-based security as defined in the openPDC, i.e., you will control access to the web service using the openPDC Manager security configuration.
In the example configuration steps defined below as long as a user and/or group has a “role” defined in the openPDC security system (i.e., a Windows user and/or group has a defined role of Administrator, Editor or Viewer) then they can access the read portion of the web service. Only Administrator and Editor roles will have write access.
You can modify the IncludedResources value to further control security if needed, e.g., allow different access control to statistics and data historians. For example, setting the IncludedResources value to
*:6152/historian/timeseriesdata/read/*=*; *:6152/historian/timeseriesdata/write/*=Administrator,Editor;
would only turn on security for data historian but not statistics historian.If you want any user or group that has a role defined in the openPDC to have access to read or writes in any of the historian web services, the value to insert into IncludedResources can be very simple:
*/historian/*=*
.Configuration steps:
- Stop openPDC service
- Edit openPDC.exe.config file (have to run editor with admin access) and make following changes:
- configuration\categorizedSettings\securityProvider\add name=“IncludedResources” - insert the following text into the value "/historian/timeseriesdata/read/=*; /historian/timeseriesdata/write/=Administrator,Editor; "
- configuration\categorizedSettings\ppaTimeSeriesDataService\add name=“SecurityPolicy” - set value to “GSF.ServiceModel.SecurityPolicy, GSF.ServiceModel”
- Save openPDC.exe.config
- Restart openPDC service
XML updates should look similar to the following:
<configuration> <categorizedSettings> <securityProvider> <add name="IncludedResources" value="*/historian/timeseriesdata/read/*=*; */historian/timeseriesdata/write/*=Administrator,Editor; UpdateSettings,UpdateConfigFile=Special; Settings,Schedules,Help,Status,Version,Time,Health,List,Invoke,ListCommands,ListReports,GetReport=*; Processes,Start,ReloadCryptoCache,ReloadSettings,Reschedule,Unschedule,SaveSchedules,LoadSchedules,ResetHealthMonitor,Connect,Disconnect,Initialize,ReloadConfig,Authenticate,RefreshRoutes,TemporalSupport,LogEvent,GenerateReport,ReportingConfig=Administrator,Editor; *=Administrator" description="Semicolon delimited list of resources to be secured along with role names." encrypted="false" /> </securityProvider> <ppaTimeSeriesDataService> <add name="SecurityPolicy" value="GSF.ServiceModel.SecurityPolicy, GSF.ServiceModel" description="Assembly qualified name of the authorization policy to be used for securing the web service." encrypted="false" /> </ppaTimeSeriesDataService> </categorizedSettings> </configuration>
Thanks.