-
Notifications
You must be signed in to change notification settings - Fork 947
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session is not provided by "ClearChangeMasks" when a change is notified #2656
Session is not provided by "ClearChangeMasks" when a change is notified #2656
Comments
…sks when a change is notified
After further investigation I came to the following conclusion:
Test Setup:
Client 1: Configure Admin (sysadmin) ->sucessfully monitor node fixed by: #2809 |
@Filippo-Oliva-ABB please test with #2809 if this fixes the issue also in your tests |
Hi @romanett, first of all thank you for your effort in solving this issue, I really appreciate it. |
@Filippo-Oliva-ABB you can assign the permissions at runtime as far as i know, it was just easier to reproduce for me. |
Ok, sorry @romanett , I misunderstood your intentions.
|
regarding 1. ithe function ValidateRolePermissions is called with a new OperationContext initialized by the MI, therefore the check will be performed, with the session of the MonitoredItem. Can you still reproduce the issue with my fix? For me it seems the check should be enough |
Hi @romanett, I meant that in the case of the MonitoredItem.Session would be null for some reason, the ValidaterRolePermission method would returns "Good" letting the Monitored.Item be queued. My PR would fix the problem but increases the probability to experience the NullArgumentException because this part of the code is executed every time a change needs to be reported to each subscribed client. At this point, in my humble opinion, there are two options:
|
@Filippo-Oliva-ABB The case a MI without associated session exists can occur when a session is closed but the subscription lifetime is not up yet. In this case we definitely need to continue sampling. I have two more questions:
Regarding: #2777 When does the ISystemContext reporting an event contain a session and what does this mean for the event (are session local events a thing desribed in the spec?) To be able to verify role Permissions in case the session is closed several changes are needed:
|
Hi @romanett, trying to respond with order:
All things considered, I need a clarification about this:
|
@Filippo-Oliva-ABB regarding checking UserAcccessLevel vs. RolePermissions checking. I was not familiar with checking the UserAccessLevel so i thougth maybe using the existing RolePermissions check at the necessary places (Read /Write from Client is checked, Event MI is also covered and DataChangeMI would be coverd with my PR) would be a more common solution. However I am not shure about your exact needs so maybe checking UserAccessLevel directly can achieve a differnt usecase. Why It's needed that the sampling continues? Subscriptions are designed to work independent of the actual communication connection between OPC UA Client and Server and independent of a Session. Short communication interruptions can be handled without losing data or events. see: https://reference.opcfoundation.org/Core/Part4/v105/docs/5.13.1 |
Type of issue
Current Behavior
A single OPC UA server providing a single “NodeManager” that:
Two clients (Client1 and Client2) connected (and subscribed to the same set of variables) to the server with two different users (User1 and User2).
When Client1 and Client2 subscribe for the first time to the variable changes everything works, meaning that Client1 get an error during the subscription while Client2 can complete the subscription and reads the first value as expected.
When the “NodeManager” calls the ClearChangeMasks method it happens that both Client1 and Clien2 can’t read the just changed value.
Tracking the session acquired by the OnReadUserAccessLevel event handler, it appears empty.
This seems to be since the context passed to the ClearChangeMasks the one referenced by the “NodeNanager” doesn’t have a session in the time of that call.
Expected Behavior
When the “NodeManager” calls the ClearChangeMasks method it is expected that Client1 will still receive an authorization error while Client2 will be able to read the changed value.
Steps To Reproduce
A single OPC UA server providing a single “NodeManager” that:
Two clients (Client1 and Client2) connected (and subscribed to the same set of variables) to the server with two different users (User1 and User2).
Make the "NodeManager" calls the ClearChangeMasks method on one variable among those both clients are subscribed to, notifying a value change passing as the first argument the instance of "ISystemContext" provided by the "SystemContext" property of the "NodeManager".
Environment
Anything else?
I tried to fix the lack of session changing the context passed to the ClearChangeMasks method by looping through all available session. To do this I got the list of active session from the referenced “SessionManager” and, for each of them I created a copy of “SytemContext” providing it a new instance of “OperationContext” including the session and I passed the new context to the ClearChangeMasks.
As a result, when the “NodeManager” triggers the ClearChangeMasks it happens that both Client1 and Client2 can or can’t read depending on which was the first session connected.
Tracking the session acquired by the OnReadUserAccessLevel event handler, it appears that the identity included in it is always the one of the first session connected.
Thus, I thoroughly analyzed and debugged the library and I found a possible solution to this bug which involves a fix to the "Opc.Ua.Server" library.
The text was updated successfully, but these errors were encountered: