Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management...
-
Upload
derek-allison -
Category
Documents
-
view
217 -
download
2
Transcript of Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management...
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 1
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS – Control System Studio
Alarm System, Authorization, Remote Management
CSS – Control System StudioSummary Presentation @ ITER March 8th 2009
Matthias Clausen, Jan Hatje (DESY / MKS-2)Presented by: Jan Hatje
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 2
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Overview
• Alarm System• Structure of components• Management System• CSS Views of alarm status
• Authentication and Authorization• CSS Interfaces• Configuration of user access rights
• Remote management• Install and update CSS components• Management of CSS headless instances
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 3
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Overview
• Common APIs for JMS -, LDAP – Server and Database → no special implementation is required
• JMS Messages (Key, Value) for all communication between components
• Alarm System can handle all kinds of messages (e.g. log messages)
• Several sources for alarm/log messages are possible (EPICS, D3, CSS, …)
• Sending alarms to different destinations (SMS, e-mail, voice mail, …)
• Users can configure filters for alarm messages themselves• Redundancy for main components of the system
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 4
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm / Log message
Sources
Alarm system - Structure
EPICS IOC D3 PCM CSS Instance
JMS ServerPersistent
Store (LDAP)Persistent
Store (LDAP)Archive DBArchive DB
CSS Alarm
Tools
(Views, Con-
figuration, …)
Message
Table
Message
Archive
Alarm Management
System
AMS
ConfigurationAlarm Tree
SM
S
Mai
l
Updated from IC
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 5
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
JMS Communication
Message sources
Special Format
Other Sources
• EPICS IOC and D3 PCM send alarm messages in special format
• Interconnection Server (EPICS) and D3 Alarms (D3) translates alarm messages in JMS format
• CSS uses log4j and sends log messages in JMS format
• Generic message system for alarm messages
• Easy to add other sources
EPICS IOC D3 PCM
CSS Instance
InterconnectionServer
D3 AlarmReader
Special Format
JMS Server(Active MQ)
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 6
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Persistent store
• Persistent Store (LDAP) holds structured list of all records
• Represents the current alarm status of all records
• Records are ordered by facility name, component and controller
• Alarm status of a record:– epicsAlarmAcknTimeStamp– epicsAlarmSeverity– epicsAlarmStatus– epicsAlarmTimeStamp
• Alarm status is updated by Interconnection Server (from IOC)
• Acknowledge is set directly by concerning CSS instance
• Source for Namespacebrowser → next presentation
Persistent Store
(LDAP)
Persistent Store
(LDAP)
InterconnectionServer
D3 AlarmReader
Up
date
Up
dat
e
(no
t ye
t im
ple
men
ted
)
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 7
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS Alarm
Configu-
rator
Alarm System - Alarm Management System (AMS)
DBDB
Filter
ManagerFilter
SMS
JMS
Read
configuration
Action
Alarm
Message
(JMS)
Write
Configuration
SMS Connector Voice Mail Connector Mail Connector
JMS
JMS
Voice
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 8
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - AMS Filter
Filter:• Checks if the filter matches• Creates a new message with the
relevant information of the alarm message
• Forwards the message to an actionFilter condition:• A Filter is a combination of filter
conditions• Filter conditions can be connected
with AND and OR• Available condition types are:
Compare strings, Check current PV, Time based condition, …
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 9
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - AMS operators and groups
Operators:• Receive alarm messages via mail, sms, …• Status active or inactive can be set• PIN Code to acknowledge alarm messages
Groups:• Operators responsible for specific facilities• Defines priority who should be informed
first, second, …• Maximum delay for acknowledgment of
alarm messages
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 10
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Alarm Tree view
• Shows the current status of the persistent store (LDAP)• Delete and create records and subcomponents by context menu• Changes are stored in the LDAP server• Alarm status is propagated to root component• Property view to display and edit tree items
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 11
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Alarm Table
Message properties, color and text for severities are configurable
Log View
• Shows all types of messages in a chronological order
Alarm View
• Shows alarm messages
• Ordered by: 1. severity and 2. timestamp
Archive View
• Shows messages stored in archive DB
• Time period and search criteria settable
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 12
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS Instance
Acknowledge
Alarm message
Alarm System - Acknowledgement
Ack.
Message
(JMS)
Update
Persistant Store (LDAP)
Persistant Store (LDAP)
JMS Server
Ack
Ack
Ack
Ack
CSS InstanceCSS InstanceCSS InstanceCSS Instance
Ack
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 13
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - CSS Extensions
• Implementation of CSS rights management is located in separated Plug-Ins
• CSS Core provides extension points for authentication and authorization
CSS Core
loginModule
authorization-
Provider
Implementation of an
authentication module
Implementation of an
authorization provider
SecurityFasade
canExecute(id)
Extension-PointServiceCSS Plug-In
CSS Plug-In
CSS Plug-In
request
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 14
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Implementation
CSS is available with and without rights management
• Without rights management:• Deliver no implementation / plug-in for loginModule ans
authorizationProvider• All users are anonymous • With no authorizationProvider all CSS actions are available
• With rights management:• loginModule authenticates all users. (@DESY Java-API JAAS
with Kerberos module)• AuthorizationProvider checks for each action if the user is
authorized (@DESY LDAP implementation for authorize IDs, groups, roles)
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 15
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Name structure for authorizeID
• Sensitive actions can be protected with an authorizationID
• Hierarchical name structure for authorizationIDs
• AuthorizationID service in CSS core shows all existing authorizationIDs in the system
• Not mandatory, each institute can define their own structure
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 16
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - LDAP Structure
User
Roles (administrative aspect)
Groups (technical aspect)
AuthorizeIDs
• Configuration for authorization and authentication is stored in LDAP
• User, Groups and Roles are updated by DESY Registry
• AuthorizeIDs and the mapping can be set by CSS plug-in “AuthorizeID” or manually.
• DESY authorizationProvider “LDAPAuthorization” reads user rights from LDAP Server.
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 17
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - AuthorizationID, Groups and Roles
CSS plug-in “Authorize ID”
An Action is mapped to an AuthorizeID. Naming rule for
AuthorizeIDs
AuthorizeIDs are mapped to combinations of groups and roles.
Rights are granted by assigning an user to a group-role combination.
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 18
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Next steps
• Implementing authorization for all sensitive actions
• Collaboration with ORNL/SNS
• Make authentication module configurable via preferences → no changes in source code
• Current state of the project: http://elogbook.desy.de:8181 → CSS Core → Authentication and authorization
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 19
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Office
Control room
Remote Management - Management of CSS instances
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS Managerinstance
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS UIinstanceCSS Headless
instance
• All remote features are located in separated plug-ins → CSS can easily be built with or without remote management
• CSS Core provides common remote commands (e.g. update plug-in, write preference, …)• Each plug-in is able to provide its own remote
commands
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 20
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Remote Management - Current state
Available commands of selected instance
• DESY Communication Framework (DCF) is based on XMPP
• DCF plug-in defines an extension point for actions
• Plug-ins can register remote actions at DCF
• DCF displays all CSS instances in a tree
• Pop up menu for available actions
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 21
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - ECF Prototype
• Prototype (remoteRCP) for basic remote management on basis of Eclipse Communication Framework (ECF)
• Using OSGI services for remote commands• RemoteRCP on the ECF wiki page: http://wiki.eclipse.org/Remote_Eclipse_RCP_Management
All (online and offline) instances
Selected instances to be managed
Available remote commands
Editor to handle specific remote command
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 22
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Next Steps
• ECF 2.1 supports now multiple resources (The same user can run multiple CSS instances)
• Integrate prototype components in CSS core• Convert DCF actions to ECF commands• Using chat, file transfer, shared desktop, … provided
by ECF
Jan Hatje, DESYCSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 23
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Who is involved?
• Alarm Management System: C1-WPS / DESY• Interconnection Server, JMS2Oracle: DESY• Alarm Viewer: DESY• Authentication and Authorization: DESY /
SNS/ORNL• Remote Management: DESY / University of
Hamburg / C1-WPS