From: Ralph Lange <Ralph.Lange@be...> - 2010-01-28 15:54:56
Here's another aspect that we shouldn't ignore and maybe
In configurations with multiple Gateways, typically a Gateway has to
block name resolution requests from some or all other Gateways to avoid
circular name resolution request traffic. (Which can seriously mess up a
whole system pretty easy. Been there.)
For V3 CA, this was handled by adding an environment variable for the
CAS server that specifies numeric IPs. Name resolution requests from
these IPs are silently dropped, i.e. completely ignored, the server's
PVs are invisible from these IPs.
This basically works, but has the disadvantage that it always affects
all CA clients on an ignored host. Regular CA clients started on the
same machine will not be able to use the Gateways in the system.
The feature to ignore name requests has to be kept, as it is essential
It could possibly be handled better integrated, more elegant, and more
obvious, if moved to AS.
If we wanted to allow "hiding" as a per-record feature, we would need
one more right (something like VISIBLE or HIDDEN similar to PROCESS),
and AS would have to be asked when the server is looking for record
names to resolve.
The other option would be making it a global server directive in AS,
then the server will have to check it when AS is init'd or updated.
In both cases: the source IP for a name resolution packet is always
accessible, but it would be nice if PVAccess could send the user name in
name resolution packets, because in that case the ignore feature could
be restricted to a user group. E.g. you could easily ignore all requests
from the special user all Gateways run as, without having to specify all
the machines that Gateways may run on.