The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
CSS – Control System Studio
Alarm System, Authorization, Remote
Management
CSS – Control System Studio
Summary Presentation @ ITER March 8th 2009
Matthias Clausen, Jan Hatje (DESY / MKS-2)
Presented by: Jan Hatje
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
1
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Overview
• Alarm System
• Structure of components
• Management System
• CSS Views of alarm status
• Authentication and Authorization
• CSS Interfaces
• Configuration of user access rights
• Remote management
• Install and update CSS components
• Management of CSS headless instances
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
2
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- Overview
• Common APIs for JMS -, LDAP – Server and Database → no
special implementation is required
• JMS Messages (Key, Value) for all communication between
components
• Alarm System can handle all kinds of messages (e.g. log
messages)
• Several sources for alarm/log messages are possible (EPICS,
D3, CSS, …)
• Sending alarms to different destinations (SMS, e-mail, voice
mail, …)
• Users can configure filters for alarm messages themselves
• Redundancy for main components of the system
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
3
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm system
- Structure
Alarm / Log message
EPICS IOC
D3 PCM
CSS Instance
Sources
Updated from IC
JMS Server
Archive DB
Persistent
Store (LDAP)
Alarm Management
System
CSS Alarm
Message
Message
Tools
Table
Archive
(Views, Con-
AMS
figuration, …)
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
Configuration
Alarm Tree
4
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Message sources
• EPICS IOC and D3 PCM
send alarm messages in
special format
• Interconnection Server
(EPICS) and D3 Alarms
(D3) translates alarm
messages in JMS format
• CSS uses log4j and
sends log messages in
JMS format
• Generic message system
for alarm messages
• Easy to add other
sources
EPICS IOC
D3 PCM
Special Format
Special Format
Interconnection
Server
D3 Alarm
Reader
JMS Communication
JMS Server
(Active MQ)
Other Sources
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
CSS Instance
5
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- Persistent store
• Persistent Store (LDAP) holds structured list
of all records
• Represents the current alarm status of all
records
• Records are ordered by facility name,
component and controller
• Alarm status of a record:
– epicsAlarmAcknTimeStamp
– epicsAlarmSeverity
– epicsAlarmStatus
– epicsAlarmTimeStamp
• Alarm status is updated by Interconnection
Server (from IOC)
• Acknowledge is set directly by concerning
CSS instance
• Source for Namespacebrowser → next
presentation
Interconnection
Server
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
D3 Alarm
Reader
Persistent
Store
(LDAP)
6
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- Alarm Management System (AMS)
Alarm
CSS Alarm
Message
Configu-
(JMS)
rator
Filter
Filter
Manager
Write
Configuration
Action
Read
configuration
SMS Connector
Voice Mail Connector
DB
Mail Connector
Voice
Mail
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
7
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- AMS Filter
Filter:
• Checks if the filter matches
• Creates a new message with the
relevant information of the alarm
message
• Forwards the message to an action
Filter condition:
• A Filter is a combination of filter
conditions
• Filter conditions can be connected
with AND and OR
• Available condition types are:
Compare strings, Check current
PV, Time based condition, …
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
8
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- AMS operators and groups
Operators:
•
•
•
Receive alarm messages via mail, sms, …
Status active or inactive can be set
PIN Code to acknowledge alarm messages
Groups:
•
•
•
Operators responsible for specific facilities
Defines priority who should be informed
first, second, …
Maximum delay for acknowledgment of
alarm messages
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
9
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- Alarm Tree view
• Shows the current status of the persistent store (LDAP)
• Delete and create records and subcomponents by context menu
• Changes are stored in the LDAP server
• Alarm status is propagated to root component
• Property view to display and edit tree items
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
10
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- Alarm Table
Message properties, color and text
for severities are configurable
Log View
• Shows all types of messages in a
chronological order
Alarm View
• Shows alarm messages
• Ordered by: 1. severity and 2. timestamp
Archive View
• Shows messages stored in archive DB
• Time period and search criteria settable
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
11
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Alarm System
- Acknowledgement
CSS Instance
Acknowledge
Alarm message
Ack
Ack.
Message
Update
(JMS)
Persistant
Store (LDAP)
Ack
Ack
Ack
Ack
JMS Server
CSS CSS
Instance
Instance
CSS Instance
CSS Instance
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
12
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- CSS Extensions
• Implementation of CSS rights management is located
in separated Plug-Ins
• CSS Core provides extension points for authentication
and authorization
CSS Core
Service
CSS Plug-In
SecurityFasade
CSS Plug-In
request
Extension-Point
loginModule
canExecute(id)
CSS Plug-In
Implementation of an
authentication module
authorization-
Implementation of an
Provider
authorization provider
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
13
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- Implementation
CSS is available with and without rights management
• Without rights management:
• Deliver no implementation / plug-in for loginModule ans
authorizationProvider
• All users are anonymous
• With no authorizationProvider all CSS actions are available
• With rights management:
• loginModule authenticates all users. (@DESY Java-API JAAS
with Kerberos module)
• AuthorizationProvider checks for each action if the user is
authorized (@DESY LDAP implementation for authorize IDs,
groups, roles)
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
14
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- Name structure for authorizeID
• Sensitive actions can be protected with an authorizationID
• Hierarchical name structure for authorizationIDs
• AuthorizationID service
in CSS core shows all
existing
authorizationIDs in the
system
• Not mandatory, each
institute can define their
own structure
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
15
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- LDAP Structure
• Configuration for authorization
and authentication is stored in
LDAP
• User, Groups and Roles are
updated by DESY Registry
• AuthorizeIDs and the mapping
can be set by CSS plug-in
“AuthorizeID” or manually.
• DESY authorizationProvider
“LDAPAuthorization” reads
user rights from LDAP Server.
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
Groups (technical
aspect)
Roles (administrative
aspect)
User
AuthorizeIDs
16
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- AuthorizationID, Groups and Roles
CSS plug-in “Authorize ID”
An Action is
mapped to an
AuthorizeID.
Naming rule for
AuthorizeIDs
AuthorizeIDs are
mapped to
combinations of
groups and roles.
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
Rights are granted
by assigning an
user to a grouprole combination.
17
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- Next steps
• Implementing authorization for all sensitive actions
• Collaboration with ORNL/SNS
• Make authentication module configurable via
preferences → no changes in source code
• Current state of the project: http://elogbook.desy.de:8181 →
CSS Core → Authentication and authorization
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
18
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Remote Management
- Management of CSS instances
• All remote features are located in separated plug-ins → CSS can
easily be built with or without remote management
• CSS Core provides common remote commands (e.g. update plugin, write preference, …)
• Each plug-in is able to provide its own remote
commands
CSS Manager
instance
Office
CSS
UI UI
CSS
CSS UI
instance
instance
instance
Control room
CSS
UI UI
CSS
CSS UI
instance
instance
instance
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
CSS
UI UI
CSS
CSS
Headless
instance
instance
instance
19
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Remote Management
- Current state
• DESY Communication
Framework (DCF) is based
on XMPP
• DCF plug-in defines an
extension point for actions
• Plug-ins can register remote
actions at DCF
• DCF displays all CSS
instances in a tree
• Pop up menu for available
actions
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
Available
commands of
selected
instance
20
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- ECF Prototype
• Prototype (remoteRCP) for basic remote management on
basis of Eclipse Communication Framework (ECF)
• Using OSGI services for remote commands
• RemoteRCP on the ECF wiki page:
http://wiki.eclipse.org/Remote_Eclipse_RCP_Management
Editor to handle
specific remote
command
All (online and
offline)
instances
Selected
instances to
be managed
Available
remote
commands
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
21
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Authentication and Authorization
- Next Steps
• ECF 2.1 supports now multiple resources (The same
user can run multiple CSS instances)
• Integrate prototype components in CSS core
• Convert DCF actions to ECF commands
• Using chat, file transfer, shared desktop, … provided
by ECF
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
22
The European
X-Ray Laser Project
XFEL
X-Ray Free-Electron Laser
Who is involved?
•
•
•
•
Alarm Management System: C1-WPS / DESY
Interconnection Server, JMS2Oracle: DESY
Alarm Viewer: DESY
Authentication and Authorization: DESY /
SNS/ORNL
• Remote Management: DESY / University of
Hamburg / C1-WPS
Jan Hatje, DESY
CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management
23