epics/epics-base
0
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity
Files
cabbc44bf915aa558034e52e5c5902e7b88f8a3f
epics-base/documentation/new-notes/PR-624.md
Andrew Johnson 87f5e4b699 Various fixes to the new-notes files
2025-12-12 12:41:41 -06:00

5.4 KiB
Raw Blame History

ACF Syntax Forward Compatibility

This release modifies the Access Security Configuration File (ACF) parser to standardize the ACF grammar for forward compatibility. It does not change the syntax that was accepted by earlier versions of the parser, so existing access security configuration files will not need to be modified. All ACF definitions will adhere to a consistent syntax format, which will allow future additions to the access security language without breaking existing configurations. In practice, this means the structure of ACF files is now formally defined and will remain stable going forward, so any new grammar features will fit into the same pattern. (Existing ACF files continue to work as-is under the new parser, so no changes are required for legacy configurations or tools.).

Generic ACF Syntax: The ACF file consists of definitions for User Access Groups (UAG), Host Access Groups (HAG), and Access Security Groups (ASG), using the following general format (angle brackets below denote placeholders):


UAG(<name>) [{ <user> [, <user> ...] }]
...

HAG(<name>) [{ <host> [, <host> ...] }]
...

ASG(<name>) [{
    [INP<index>(<pvname>)
     ...]

    RULE(<level>, NONE | READ | WRITE [, NOTRAPWRITE | TRAPWRITE]) {
        [UAG(<name> [, <name> ...])]
        [HAG(<name> [, <name> ...])]
        [CALC(<calculation>)]
    }
    ...
}]
...

Under this schema each definition comprises a keyword, a name in parentheses, and (optionally) a braced block of contents. This uniform structure ensures that future keywords or sections can be introduced in the same form, maintaining compatibility with the parser. For example, if a new type of condition or group is added in a later release, it would follow the KEYWORD(name) { ... } pattern, so 7.0.10-era parsers can handle or ignore it gracefully instead of failing on unknown syntax.

Supported Syntax in EPICS 7.0.10: The current release defines the following specific elements within the above generic format:

  • UAG -- User Access Group. Defines a group of user names.
  • HAG -- Host Access Group. Defines a group of host names (or IP addresses) that clients can connect from.
  • ASG -- Access Security Group. Defines a security group which records can be assigned to. An ASG entry may contain a block with input definitions and access rules. For example:
ASG(MyGroup) {
    INPA(myPV1)
    INPB(myPV2)
    RULE(1, WRITE) { ... }
    RULE(1, READ) { ... }
}

If no rules are defined for an ASG, the access permissions default to always allowed.

  • INP() -- Input link. Declares an input process variable whose value can be used in a CALC condition.
  • RULE(, [, ]) { ... } -- Defines an access rule for the ASG.

Inside the curly braces of a RULE, optional conditions can restrict when that rule applies. All conditions that are present must be satisfied (they function as a logical AND):

  • UAG(, ...) -- User-group condition. The rule only applies if the Channel Access client's user is a member of one of the listed UAGs.
  • HAG(, ...) -- Host-group condition. The rule only applies if the client's host (as determined by its IP or hostname) is in one of the listed HAGs
  • CALC("") -- Calculation condition. The rule only applies if the given expression evaluates to true (non-zero).

Special Semantics for RULEs: Rules will continue to allow the prescribed access if and only if all the predicates the rule contains are satisfied.

  • If the rule contains predicates that are unknown to the parser (indicating future functionality), then the rule will NOT not match, but no syntax error will be reported as long as the syntax is correct.
  • If the rule contains predicates that the parser does not recognise which are malformed (e.g. missing parentheses), then the rule will not match and the parser will report a syntax error.
  • In this way rules can be extended with new predicates without breaking older clients or giving those older clients elevated privileges.

Special Semantics for unrecognised ACF file elements: Any elements that are included in an ACF file will be ignored silently by a parser that does not understand them.

  • If an element is seen in an ACF file that is not understood by the parser, the parser will simply ignore it silently, without reporting an error, as long as its syntax is correct.
  • If elements are added to the ACF file that are malformed (e.g. missing parentheses), the parser will report a syntax error.
  • Thus new elements can be added to ACF files in new EPICS releases without breaking older clients that loads those files.

In summary, ACF forward compatibility means that from EPICS 7.0.10 onward, any new access security features will use this established syntax. The parser will recognize new group types or rule options using the same <KEYWORD>(...) { ... } convention, ensuring they can be used in files loaded by IOCs running EPICS 7.0.10 or later without breaking those IOCs or requiring their parser to be modified. This change does not require any modifications to existing ACF files or downstream tools -- all legacy syntax remains valid, and the new standardized grammar provides a robust foundation for future extensions.

A full EBNF grammar for the new syntax can be found in the IOC Access Security document added to this release.

Reference in New Issue View Git Blame Copy Permalink