css – control system studio alarm system, authorization, remote management
DESCRIPTION
CSS – Control System Studio Alarm System, Authorization, Remote Management. CSS – Control System Studio Summary Presentation @ GSI February 11 th 2009 Matthias Clausen, Jan Hatje (DESY / MKS-2) Presented by: Jan Hatje. Overview. Alarm System Structure of components Management System - PowerPoint PPT PresentationTRANSCRIPT
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 1
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS – Control System Studio
Alarm System, Authorization, Remote Management
CSS – Control System StudioSummary Presentation @ GSI February 11th 2009
Matthias Clausen, Jan Hatje (DESY / MKS-2)Presented by: Jan Hatje
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 2
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Overview
• Alarm System• Structure of components• Management System• CSS Views of alarm status
• Authentication and Authorization• CSS Interfaces• Configuration of user access rights
• Remote management• Install and update CSS components• Management of CSS headless instances
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 3
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Overview
• Common APIs for JMS -, LDAP – Server and Database → no special implementation is required
• JMS Messages (Key, Value) for all communication between components
• Alarm System can handle all kinds of messages (e.g. log messages)
• Several sources for alarm/log messages are possible (EPICS, D3, CSS, …)
• Sending alarms to different destinations (SMS, e-mail, voice mail, …)
• Users can configure filters for alarm messages themselves• Redundancy for main components of the system
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 4
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm / Log message
Sources
Alarm system - Structure
EPICS IOC D3 PCM CSS Instance
JMS ServerPersistent
Store (LDAP)Persistent
Store (LDAP)Archive DBArchive DB
CSS Alarm
Tools
(Views, Con-
figuration, …)
Message
Table
Message
Archive
Alarm Management
System
AMS
ConfigurationAlarm Tree
SM
S
Mai
l
Updated from IC
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 5
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Persistent store
• Persistent Store (LDAP) holds structured list of all records
• Records are ordered by facility name, component and controller
• Alarm status of a record:– epicsAlarmAcknTimeStamp– epicsAlarmSeverity– epicsAlarmStatus– epicsAlarmTimeStamp
• Alarm status is updated by Interconnection Server (from IOC)
• Acknowledge is set directly by concerning CSS instance
• Source for Namespacebrowser → next presentation
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 6
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS Alarm
Configu-
rator
Alarm System - Alarm Management System (AMS)
DBDB
Filter
ManagerFilter
SMS
JMS
Read
configuration
Action
Alarm
Message
(JMS)
Write
Configuration
SMS Connector Voice Mail Connector Mail Connector
JMS
JMS
Voice
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 7
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - AMS Filter
Filter:• Checks if the filter matches• Creates a new message with the
relevant information of the alarm message
• Forwards the message to an actionFilter condition:• A Filter is a combination of filter
conditions• Filter conditions can be connected
with AND and OR• Available condition types are:
Compare strings, Check current PV, Time based condition, …
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 8
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - AMS operators and groups
Operators:• Receive alarm messages via mail, sms, …• Status active or inactive can be set• PIN Code to acknowledge alarm messages
Groups:• Operators responsible for specific facilities• Defines priority who should be informed
first, second, …• Maximum delay for acknowledgment of
alarm messages
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 9
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Alarm Tree view
• Shows the current status of the persistent store (LDAP)• Delete and create records and subcomponents by context menu• Changes are stored in the LDAP server• Alarm status is propagated to root component• Property view to display and edit tree items
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 10
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Alarm System - Alarm Table
Message properties, color and text for severities are configurable
Log View
• Shows all types of messages in a chronological order
Alarm View
• Shows alarm messages
• Ordered by: 1. severity and 2. timestamp
Archive View
• Shows messages stored in archive DB
• Time period and search criteria settable
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 11
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
CSS Instance
Acknowledge
Alarm message
Alarm System - Acknowledgement
Ack.
Message
(JMS)
Update
Persistant Store (LDAP)
Persistant Store (LDAP)
JMS Server
Ack
Ack
Ack
Ack
CSS InstanceCSS InstanceCSS InstanceCSS Instance
Ack
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 12
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - CSS Extensions
• Implementation of CSS rights management is located in separated Plug-Ins
• CSS Core provides extension points for authentication and authorization
CSS Core
loginModule
authorization-
Provider
Implementation of an
authentication module
Implementation of an
authorization provider
SecurityFasade
canExecute(id)
Extension-PointServiceCSS Plug-In
CSS Plug-In
CSS Plug-In
request
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 13
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Implementation
CSS is available with and without rights management
• Without rights management:• Deliver no implementation / plug-in for loginModule ans
authorizationProvider• All users are anonymous • With no authorizationProvider all CSS actions are available
• With rights management:• loginModule authenticates all users. (@DESY Java-API JAAS
with Kerberos module)• AuthorizationProvider checks for each action if the user is
authorized (@DESY LDAP implementation for authorize IDs, groups, roles)
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 14
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - AuthorizationID, Groups and Roles
Authorization at DESY
An Action is mapped to an AuthorizeID. Naming rule for
AuthorizeIDs
AuthorizeIDs are mapped to combinations of groups and roles.
Rights are granted by assigning an user to a group-role combination.
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 15
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Name structure for authorizeID
• Hierarchical name structure for authorize IDs• AuthorizationID service in CSS core shows all existing
authorizationIDs in the system
• AuthorizeIDs must be unique
• Not mandatory, each institute can define their own structure
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 16
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - LDAP Structure
User
Roles
Groups
AuthorizeIDs
• User, Groups and Roles are updated by DESY Registry
• AuthorizeIDs and the mapping can be set by CSS plug-in “AuthorizeID” or manually.
• DESY authorizationProvider “LDAPAuthorization” reads user rights from LDAP Server.
• AuthorizeIDs used in SDS displays are also stored in LDAP
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 17
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Next steps
• Implementing authorization for all sensitive actions
• Collaboration with ORNL/SNS
• Make authentication module configurable via preferences → no changes in source code
• Current state of the project: http://elogbook.desy.de:8181 → CSS Core → Authentication and authorization
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 18
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Office
Control room
Remote Management - Management of CSS instances
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS Managerinstance
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS UIinstance
CSS UIinstanceCSS Headless
instance
• All remote features are located in separated plug-ins → CSS can easily be built with or without remote management
• CSS Core provides common remote commands (e.g. update plug-in, write preference, …)• Each plug-in is able to provide its own remote
commands
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 19
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Remote Management - Current state
Available commands of selected instance
• DESY Communication Framework (DCF) is based on XMPP
• DCF plug-in defines an extension point for actions
• Plug-ins can register remote actions at DCF
• DCF displays all CSS instances in a tree
• Pop up menu for available actions
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 20
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - ECF Prototype
• Prototype (remoteRCP) for basic remote management on basis of Eclipse Communication Framework (ECF)
• Using OSGI services for remote commands• RemoteRCP on the ECF wiki page: http://wiki.eclipse.org/Remote_Eclipse_RCP_Management
All (online and offline) instances
Selected instances to be managed
Available remote commands
Editor to handle specific remote command
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 21
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Authentication and Authorization - Next Steps
• ECF 2.1 supports now multiple resources (The same user can run multiple CSS instances)
• Integrate prototype components in CSS core• Convert DCF actions to ECF commands• Using chat, file transfer, shared desktop, … provided
by ECF
Jan Hatje, DESYCSS Presentation @ GSI Feb. 2009: Alarm System, Authorization, Remote Management 22
XFELThe EuropeanX-Ray Laser Project X-Ray Free-Electron Laser
Who is involved?
• Alarm Management System: C1-WPS / DESY• Interconnection Server, JMS2Oracle: DESY• Alarm Viewer: DESY• Authentication and Authorization: DESY /
SNS/ORNL• Remote Management: DESY / University of
Hamburg / C1-WPS