Control System Studio Training - Authentication, Authorization

1. Control System Studio Training-Authentication,Authorization Kay Kasemir ORNL/SNS kasemirk@ornl.gov April 2013

2. Example: Alarm System ! Only authorized users can change the configuration  

3. Auth & Auth • Authentication: Confirm a user's identity • Check password • Authorization: Is user permitted to do something? • Requires authenticated user • Some database: User “Fred” may configure alarm

4. Can’t we just ignore this? No.If you don’t configure auth & auth,nobody can do anything What follows is the simple “anybody can do anything” setup.

5. Auth & Auth in CSS Plugin: org.csstudio.security preferences.ini: Available optionsjaas.conf: Example (default) authenticationauthorization.conf: Example (default) file-based authorization See also Auth & Aut chapter in http://cs-studio.sourceforge.net/docbook/css_book.pdf

6. Authentication Defaults Preference:org.csstudio.security/jaas_config_file= platform:/plugin/org.csstudio.security/jaas.conforg.csstudio.security/jaas_config_name=dummy See content of jaas.conf • On CSS startup: ‘current user’ • File/Login allows any name (except ‘fail’), ignoring password

7. Authorization Defaults Preference:org.csstudio.security/authorization_provider=FileBasedorg.csstudio.security/authorization_file_name= platform:/plugin/org.csstudio.security/authorization.conf See content of authorization.conf # Anybody can acknowledge alarmsalarm_acknowledge=.* # Specific users may configure alarmsalarm_config = fred , jane

8. For Operational Setups Authentication • File-based (plain text name, password) • LDAP, Kerberous,.. • See jaas.conf example, Google JAAS Authorization • File-based (authorization=list of name patterns) • LDAP group based • Call external script • Implement your own OSGi AuthorizationProvider