220 likes | 391 Views
CSS – Control System Studio Alarm System, Authorization, Remote Management. CSS – Control System Studio Summary Presentation @ GSI February 11 th 2009 Matthias Clausen, Jan Hatje (DESY / MKS-2) Presented by: Jan Hatje. Overview. Alarm System Structure of components Management System
E N D
CSS – Control System StudioAlarm System, Authorization, Remote Management CSS – Control System Studio Summary Presentation @ GSI February 11th 2009 Matthias Clausen, Jan Hatje (DESY / MKS-2) Presented by: Jan Hatje
Overview • Alarm System • Structure of components • Management System • CSS Views of alarm status • Authentication and Authorization • CSS Interfaces • Configuration of user access rights • Remote management • Install and update CSS components • Management of CSS headless instances
Alarm System - Overview • Common APIs for JMS -, LDAP – Server and Database → no special implementation is required • JMS Messages (Key, Value) for all communication between components • Alarm System can handle all kinds of messages (e.g. log messages) • Several sources for alarm/log messages are possible (EPICS, D3, CSS, …) • Sending alarms to different destinations (SMS, e-mail, voice mail, …) • Users can configure filters for alarm messages themselves • Redundancy for main components of the system
Alarm system - Structure Alarm / Log message Sources EPICS IOC D3 PCM CSS Instance Updated from IC Archive DB Persistent Store (LDAP) JMS Server Alarm Management System CSS Alarm Tools (Views, Con- figuration, …) Message Table Message Archive SMS Mail AMS Configuration Alarm Tree
Alarm System - Persistent store • Persistent Store (LDAP) holds structured list of all records • Records are ordered by facility name, component and controller • Alarm status of a record: • epicsAlarmAcknTimeStamp • epicsAlarmSeverity • epicsAlarmStatus • epicsAlarmTimeStamp • Alarm status is updated by Interconnection Server (from IOC) • Acknowledge is set directly by concerning CSS instance • Source for Namespacebrowser → next presentation
Alarm System - Alarm Management System (AMS) Alarm Message (JMS) CSS Alarm Configu- rator Filter Manager Filter Write Configuration Read configuration Action DB JMS JMS JMS SMS Connector Voice Mail Connector Mail Connector Voice Mail SMS Mail
Alarm System - AMS Filter • Filter: • Checks if the filter matches • Creates a new message with the relevant information of the alarm message • Forwards the message to an action • Filter condition: • A Filter is a combination of filter conditions • Filter conditions can be connected with AND and OR • Available condition types are: Compare strings, Check current PV, Time based condition, …
Alarm System - AMS operators and groups • Operators: • Receive alarm messages via mail, sms, … • Status active or inactive can be set • PIN Code to acknowledge alarm messages • Groups: • Operators responsible for specific facilities • Defines priority who should be informed first, second, … • Maximum delay for acknowledgment of alarm messages
Alarm System - Alarm Tree view • Shows the current status of the persistent store (LDAP) • Delete and create records and subcomponents by context menu • Changes are stored in the LDAP server • Alarm status is propagated to root component • Property view to display and edit tree items
Alarm System - Alarm Table • Message properties, color and text for severities are configurable • Log View • Shows all types of messages in a chronological order • Alarm View • Shows alarm messages • Ordered by: 1. severity and 2. timestamp • Archive View • Shows messages stored in archive DB • Time period and search criteria settable
Alarm System - Acknowledgement CSS Instance Acknowledge Alarm message Ack. Message (JMS) Update Ack Persistant Store (LDAP) JMS Server Ack Ack Ack Ack CSS Instance CSS Instance CSS Instance CSS Instance
Authentication and Authorization - CSS Extensions • Implementation of CSS rights management is located in separated Plug-Ins • CSS Core provides extension points for authentication and authorization CSS Core Service Extension-Point CSS Plug-In request Implementation of an authentication module SecurityFasade canExecute(id) loginModule CSS Plug-In CSS Plug-In Implementation of an authorization provider authorization- Provider
Authentication and Authorization - Implementation • CSS is available with and without rights management • Without rights management: • Deliver no implementation / plug-in for loginModule ans authorizationProvider • All users are anonymous • With no authorizationProvider all CSS actions are available • With rights management: • loginModule authenticates all users. (@DESY Java-API JAAS with Kerberos module) • AuthorizationProvider checks for each action if the user is authorized (@DESY LDAP implementation for authorize IDs, groups, roles)
Authentication and Authorization - AuthorizationID, Groups and Roles Authorization at DESY An Action is mapped to an AuthorizeID. Rights are granted by assigning an user to a group-role combination. AuthorizeIDs are mapped to combinations of groups and roles. Naming rule for AuthorizeIDs
Authentication and Authorization - Name structure for authorizeID • Hierarchical name structure for authorize IDs • AuthorizationID service in CSS core shows all existing authorizationIDs in the system • AuthorizeIDs must be unique • Not mandatory, each institute can define their own structure
Authentication and Authorization - LDAP Structure • User, Groups and Roles are updated by DESY Registry • AuthorizeIDs and the mapping can be set by CSS plug-in “AuthorizeID” or manually. • DESY authorizationProvider “LDAPAuthorization” reads user rights from LDAP Server. • AuthorizeIDs used in SDS displays are also stored in LDAP Groups Roles User AuthorizeIDs
Authentication and Authorization - Next steps • Implementing authorization for all sensitive actions • Collaboration with ORNL/SNS • Make authentication module configurable via preferences → no changes in source code • Current state of the project: http://elogbook.desy.de:8181→ CSS Core → Authentication and authorization
Remote Management - Management of CSS instances • All remote features are located in separated plug-ins → CSS can easily be built with or without remote management • CSS Core provides common remote commands (e.g. update plug-in, write preference, …) • Each plug-in is able to provide its own remotecommands CSS Manager instance Office CSS UI instance CSS UI instance Control room CSS UI instance CSS UI instance CSS UI instance CSS UI instance CSS UI instance CSS Headless instance CSS UI instance
Remote Management - Current state • DESY Communication Framework (DCF) is based on XMPP • DCF plug-in defines an extension point for actions • Plug-ins can register remote actions at DCF • DCF displays all CSS instances in a tree • Pop up menu for available actions Available commands of selected instance
Authentication and Authorization - ECF Prototype • Prototype (remoteRCP) for basic remote management on basis of Eclipse Communication Framework (ECF) • Using OSGI services for remote commands • RemoteRCP on the ECF wiki page: http://wiki.eclipse.org/Remote_Eclipse_RCP_Management Editor to handle specific remote command All (online and offline) instances Selected instances to be managed Available remote commands
Authentication and Authorization - Next Steps • ECF 2.1 supports now multiple resources (The same user can run multiple CSS instances) • Integrate prototype components in CSS core • Convert DCF actions to ECF commands • Using chat, file transfer, shared desktop, … provided by ECF
Who is involved? • Alarm Management System: C1-WPS / DESY • Interconnection Server, JMS2Oracle: DESY • Alarm Viewer: DESY • Authentication and Authorization: DESY / SNS/ORNL • Remote Management: DESY / University of Hamburg / C1-WPS