Post on 16-Oct-2021
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 1
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS – Control System Studio
Alarm System, Authorization, Remote Management
CSS – Control System StudioSummary Presentation @ GSI February 11th 2009
Matthias Clausen, Jan Hatje (DESY / MKS-2)Presented by: Jan Hatje
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 2
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Overview
• Alarm System• Structure of components• Management System• CSS Views of alarm status
• Authentication and Authorization• CSS Interfaces• Configuration of user access rights
• Remote management• Install and update CSS components• Management of CSS headless instances
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 3
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- Overview
• Common APIs for JMS -, LDAP – Server and Database → no special implementation is required
• JMS Messages (Key, Value) for all communication between components
• Alarm System can handle all kinds of messages (e.g. log messages)
• Several sources for alarm/log messages are possible (EPICS, D3, CSS, …)
• Sending alarms to different destinations (SMS, e-mail, voice mail, …)
• Users can configure filters for alarm messages themselves• Redundancy for main components of the system
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 4
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm system- Structure
Alarm / Log messageSources
EPICS IOC D3 PCM CSS Instance
JMS Server Persistent Store (LDAP)
Persistent Store (LDAP)Archive DBArchive DB
CSS AlarmTools(Views, Con-figuration, …)
MessageTable
MessageArchive
Alarm ManagementSystem
AMSConfiguration
Alarm Tree
SMS Mail
Updated from IC
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 5
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- Persistent store
• Persistent Store (LDAP) holds structured list of all records
• Records are ordered by facility name, component and controller
• Alarm status of a record:– epicsAlarmAcknTimeStamp– epicsAlarmSeverity– epicsAlarmStatus– epicsAlarmTimeStamp
• Alarm status is updated by Interconnection Server (from IOC)
• Acknowledge is set directly by concerning CSS instance
• Source for Namespacebrowser → next presentation
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 6
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- Alarm Management System (AMS)
CSS AlarmConfigu-rator
DBDB
FilterManager
Filter
SMS
JMS
Readconfiguration
Action
AlarmMessage
(JMS)
WriteConfiguration
SMS Connector Voice Mail Connector Mail Connector
JMS
JMS
VoiceMail
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 7
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- AMS Filter
Filter:• Checks if the filter matches• Creates a new message with the
relevant information of the alarm message
• Forwards the message to an actionFilter condition:• A Filter is a combination of filter
conditions• Filter conditions can be connected
with AND and OR• Available condition types are:
Compare strings, Check current PV, Time based condition, …
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 8
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- AMS operators and groups
Operators:• Receive alarm messages via mail, sms, …• Status active or inactive can be set• PIN Code to acknowledge alarm messages
Groups:• Operators responsible for specific facilities• Defines priority who should be informed
first, second, …• Maximum delay for acknowledgment of
alarm messages
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 9
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- Alarm Tree view
• Shows the current status of the persistent store (LDAP)• Delete and create records and subcomponents by context menu• Changes are stored in the LDAP server• Alarm status is propagated to root component• Property view to display and edit tree items
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 10
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- Alarm Table
Message properties, color and text for severities are configurable
Log View• Shows all types of messages in a
chronological orderAlarm View• Shows alarm messages• Ordered by: 1. severity and 2. timestampArchive View• Shows messages stored in archive DB• Time period and search criteria settable
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 11
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System- Acknowledgement
CSS InstanceAcknowledgeAlarm message
Ack.Message
(JMS)Update
PersistantStore (LDAP)
PersistantStore (LDAP)
JMS Server
Ack
Ack
Ack
Ack
CSS InstanceCSS InstanceCSS InstanceCSS Instance
Ack
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 12
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- CSS Extensions
• Implementation of CSS rights management is located in separated Plug-Ins
• CSS Core provides extension points for authentication and authorization
CSS Core
loginModule
authorization-Provider
Implementation of anauthentication module
Implementation of anauthorization provider
SecurityFasadecanExecute(id)
Extension-PointServiceCSS Plug-In
requestCSS Plug-In
CSS Plug-In
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 13
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- Implementation
CSS is available with and without rights management• Without rights management:
• Deliver no implementation / plug-in for loginModule ansauthorizationProvider
• All users are anonymous • With no authorizationProvider all CSS actions are available
• With rights management:• loginModule authenticates all users. (@DESY Java-API JAAS
with Kerberos module)• AuthorizationProvider checks for each action if the user is
authorized (@DESY LDAP implementation for authorize IDs, groups, roles)
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 14
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- AuthorizationID, Groups and Roles
Authorization at DESY
AuthorizeIDs are mapped to combinations of groups and roles.
Rights are granted by assigning an user to a group-role combination.
An Action is mapped to an AuthorizeID.
Naming rule for AuthorizeIDs
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 15
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- Name structure for authorizeID
• Hierarchical name structure for authorize IDs• AuthorizationID service in CSS core shows all existing
authorizationIDs in the system
• AuthorizeIDs must be unique
• Not mandatory, each institute can define their own structure
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 16
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- LDAP Structure
User
Roles
Groups
AuthorizeIDs
• User, Groups and Roles are updated by DESY Registry
• AuthorizeIDs and the mapping can be set by CSS plug-in “AuthorizeID” or manually.
• DESY authorizationProvider“LDAPAuthorization” reads user rights from LDAP Server.
• AuthorizeIDs used in SDS displays are also stored in LDAP
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 17
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- Next steps
• Implementing authorization for all sensitive actions
• Collaboration with ORNL/SNS
• Make authentication module configurable via preferences → no changes in source code
• Current state of the project: http://elogbook.desy.de:8181 →CSS Core → Authentication and authorization
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 18
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Remote Management- Management of CSS instances
• All remote features are located in separated plug-ins → CSS can easily be built with or without remote management
• CSS Core provides common remote commands (e.g. update plug-in, write preference, …)
Office
Control roomCSS UIinstance
CSS UIinstance
CSS UIinstance
CSS Managerinstance
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS UIinstanceCSS Headless
instance
• Each plug-in is able to provide its own remotecommands
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 19
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Remote Management- Current state
Available commands of selected instance
• DESY Communication Framework (DCF) is based on XMPP
• DCF plug-in defines an extension point for actions
• Plug-ins can register remote actions at DCF
• DCF displays all CSS instances in a tree
• Pop up menu for available actions
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 20
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- ECF Prototype
• Prototype (remoteRCP) for basic remote management on basis of Eclipse Communication Framework (ECF)
• Using OSGI services for remote commands• RemoteRCP on the ECF wiki page:
http://wiki.eclipse.org/Remote_Eclipse_RCP_Management
All (online and offline) instances
Selected instances to be managed
Available remote commands
Editor to handle specific remote command
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 21
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization- Next Steps
• ECF 2.1 supports now multiple resources (The same user can run multiple CSS instances)
• Integrate prototype components in CSS core• Convert DCF actions to ECF commands• Using chat, file transfer, shared desktop, … provided
by ECF
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 22
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Who is involved?
• Alarm Management System: C1-WPS / DESY• Interconnection Server, JMS2Oracle: DESY• Alarm Viewer: DESY• Authentication and Authorization: DESY /
SNS/ORNL• Remote Management: DESY / University of
Hamburg / C1-WPS