The European XRay Laser Project XFEL XRay FreeElectron

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser CSS – Control System Studio Alarm System, Authorization, Remote Management CSS – Control System Studio Summary Presentation @ ITER March 8 th 2009 Matthias Clausen, Jan Hatje (DESY / MKS-2) Presented by: Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 1

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Overview • Alarm System • Structure of components • Management System • CSS Views of alarm status • Authentication and Authorization • CSS Interfaces • Configuration of user access rights • Remote management • Install and update CSS components • Management of CSS headless instances Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 2

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - Overview • Common APIs for JMS -, LDAP – Server and Database → no special implementation is required • JMS Messages (Key, Value) for all communication between components • Alarm System can handle all kinds of messages (e. g. log messages) • Several sources for alarm/log messages are possible (EPICS, D 3, CSS, …) • Sending alarms to different destinations (SMS, e-mail, voice mail, …) • Users can configure filters for alarm messages themselves • Redundancy for main components of the system Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 3

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm system - Structure Alarm / Log message Sources EPICS IOC D 3 PCM CSS Instance Updated from IC Archive DB JMS Server Alarm Management System CSS Alarm ai M S SM l Tools (Views, Configuration, …) Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management Persistent Store (LDAP) Message Table Archive AMS Configuration Alarm Tree 4

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Message sources • EPICS IOC and D 3 PCM send alarm messages in special format • Interconnection Server (EPICS) and D 3 Alarms (D 3) translates alarm messages in JMS format • CSS uses log 4 j and sends log messages in JMS format • Generic message system for alarm messages • Easy to add other sources EPICS IOC D 3 PCM Special Format Interconnection Server D 3 Alarm Reader JMS Communication JMS Server (Active MQ) Other Sources Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management CSS Instance 5

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - Persistent store Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management D 3 Alarm Reader Persistent Store (LDAP) t ye t im plem ente d (n o Upd ate ) Interconnection Server e dat Up • Persistent Store (LDAP) holds structured list of all records • Represents the current alarm status of all records • Records are ordered by facility name, component and controller • Alarm status of a record: – epics. Alarm. Ackn. Time. Stamp – epics. Alarm. Severity – epics. Alarm. Status – epics. Alarm. Time. Stamp • Alarm status is updated by Interconnection Server (from IOC) • Acknowledge is set directly by concerning CSS instance • Source for Namespacebrowser → next presentation 6

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - Alarm Management System (AMS) Alarm CSS Alarm Message Configu- (JMS) rator Filter Manager Write Configuration Action Read configuration S SMS Connector JM S JM Voice Mail Connector JM DB S Mail Connector SM Voice S Mail il Ma Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 7

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - AMS Filter: • Checks if the filter matches • Creates a new message with the relevant information of the alarm message • Forwards the message to an action Filter condition: • A Filter is a combination of filter conditions • Filter conditions can be connected with AND and OR • Available condition types are: Compare strings, Check current PV, Time based condition, … Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 8

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - AMS operators and groups Operators: • • • Receive alarm messages via mail, sms, … Status active or inactive can be set PIN Code to acknowledge alarm messages Groups: • • • Operators responsible for specific facilities Defines priority who should be informed first, second, … Maximum delay for acknowledgment of alarm messages Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 9

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - Alarm Tree view • Shows the current status of the persistent store (LDAP) • Delete and create records and subcomponents by context menu • Changes are stored in the LDAP server • Alarm status is propagated to root component • Property view to display and edit tree items Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 10

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - Alarm Table Message properties, color and text for severities are configurable Log View • Shows all types of messages in a chronological order Alarm View • Shows alarm messages • Ordered by: 1. severity and 2. timestamp Archive View • Shows messages stored in archive DB • Time period and search criteria settable Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 11

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Alarm System - Acknowledgement CSS Instance Acknowledge Alarm message Ack. Message Update (JMS) Persistant Store (LDAP) Ack Ack JMS Server CSS Instance Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 12

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - CSS Extensions • Implementation of CSS rights management is located in separated Plug-Ins • CSS Core provides extension points for authentication and authorization CSS Core Service CSS Plug-In request Security. Fasade Extension-Point login. Module can. Execute(id) Implementation of an authentication module authorization- Implementation of an Provider authorization provider Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 13

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - Implementation CSS is available with and without rights management • Without rights management: • Deliver no implementation / plug-in for login. Module ans authorization. Provider • All users are anonymous • With no authorization. Provider all CSS actions are available • With rights management: • login. Module authenticates all users. (@DESY Java-API JAAS with Kerberos module) • Authorization. Provider checks for each action if the user is authorized (@DESY LDAP implementation for authorize IDs, groups, roles) Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 14

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - Name structure for authorize. ID • Sensitive actions can be protected with an authorization. ID • Hierarchical name structure for authorization. IDs • Authorization. ID service in CSS core shows all existing authorization. IDs in the system • Not mandatory, each institute can define their own structure Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 15

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - LDAP Structure • Configuration for authorization and authentication is stored in LDAP • User, Groups and Roles are updated by DESY Registry • Authorize. IDs and the mapping can be set by CSS plug-in “Authorize. ID” or manually. • DESY authorization. Provider “LDAPAuthorization” reads user rights from LDAP Server. Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management Groups (technical aspect) Roles (administrative aspect) User Authorize. IDs 16

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - Authorization. ID, Groups and Roles CSS plug-in “Authorize ID” An Action is mapped to an Authorize. ID. Naming rule for Authorize. IDs are mapped to combinations of groups and roles. Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management Rights are granted by assigning an user to a grouprole combination. 17

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - Next steps • Implementing authorization for all sensitive actions • Collaboration with ORNL/SNS • Make authentication module configurable via preferences → no changes in source code • Current state of the project: http: //elogbook. desy. de: 8181 → CSS Core → Authentication and authorization Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 18

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Remote Management - Management of CSS instances • All remote features are located in separated plug-ins → CSS can easily be built with or without remote management • CSS Core provides common remote commands (e. g. update plugin, write preference, …) • Each plug-in is able to provide its own remote commands CSS Manager instance Office CSS UI UI CSS UI instance Control room CSS UI UI CSS UI instance Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management CSS UI UI CSS Headless instance 19

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Remote Management - Current state • DESY Communication Framework (DCF) is based on XMPP • DCF plug-in defines an extension point for actions • Plug-ins can register remote actions at DCF • DCF displays all CSS instances in a tree • Pop up menu for available actions Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management Available commands of selected instance 20

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - ECF Prototype • Prototype (remote. RCP) for basic remote management on basis of Eclipse Communication Framework (ECF) • Using OSGI services for remote commands • Remote. RCP on the ECF wiki page: http: //wiki. eclipse. org/Remote_Eclipse_RCP_Management Editor to handle specific remote command All (online and offline) instances Selected instances to be managed Available remote commands Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 21

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Authentication and Authorization - Next Steps • ECF 2. 1 supports now multiple resources (The same user can run multiple CSS instances) • Integrate prototype components in CSS core • Convert DCF actions to ECF commands • Using chat, file transfer, shared desktop, … provided by ECF Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 22

The European X-Ray Laser Project XFEL X-Ray Free-Electron Laser Who is involved? • • Alarm Management System: C 1 -WPS / DESY Interconnection Server, JMS 2 Oracle: DESY Alarm Viewer: DESY Authentication and Authorization: DESY / SNS/ORNL • Remote Management: DESY / University of Hamburg / C 1 -WPS Jan Hatje, DESY CSS Presentation @ ITER March 2009: Alarm System, Authorization, Remote Management 23