Restrict session security diagnostics access#1803
Merged
Merged
Conversation
kevinherron
force-pushed
the
codex/restrict-session-security-diagnostics
branch
from
July 16, 2026 02:31
e9f2b9e to
88f7b8b
Compare
Enforce standard role permissions for security diagnostics and the diagnostics enabled flag, and propagate role and channel restrictions to dynamically created security nodes. Keep ordinary session diagnostics and generic access control unchanged. Provide an explicit legacy access mode so upgrading servers can preserve the previous authorization behavior without configuring a RoleMapper.
kevinherron
force-pushed
the
codex/restrict-session-security-diagnostics
branch
from
July 16, 2026 02:46
ecf63b0 to
6bc1aaa
Compare
kevinherron
marked this pull request as ready for review
July 16, 2026 11:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
RolePermissionsfor cross-session security diagnostics and diagnosticsEnabledFlagwrites in the defaultRESTRICTEDmodeRolePermissions,UserRolePermissions, and protected-channelAccessRestrictionsto runtime-created security-diagnostics nodesLEGACYaccess mode for servers that need the previous diagnostics authorization behavior without configuring aRoleMapperSessionDiagnosticsbehavior andDefaultAccessControllerunchangedBehavior
In
RESTRICTEDmode, session-specificUserAccessLevelandUserRolePermissionsare derived from the standard node metadata.SecurityAdminor an explicitly configured equivalent role can read session security diagnostics;ConfigureAdmin,SecurityAdmin, or an explicitly configured equivalent role can write the diagnostics enabled flag. Without aRoleMapper, sensitive Value reads fail closed and the enabled flag remains read-only.LEGACYmode preserves the previous authorization behavior without requiring role mapping. Signing and encryption restrictions continue to be propagated to runtime-created security-diagnostics nodes in both modes.Role-based Browse behavior continues to follow the generic access controller's existing
RoleMappersemantics; this change adds no diagnostics-specific controller behavior.Regression coverage
Focused tests cover:
SecurityAdmin,ConfigureAdmin, and explicitly authorized equivalent rolesRoleMapperVerification
mise exec -- mvn -q spotless:applymise exec -- mvn -q -pl opc-ua-sdk/sdk-server -am test -Dtest=SessionSecurityDiagnosticsAccessModeTest,UtilTest,SessionsDiagnosticsSummaryObjectTest,SessionSecurityDiagnosticsVariableArrayTest -Dsurefire.failIfNoSpecifiedTests=falsemise exec -- mvn -q clean compile