1 / 34

Authentication and Authorization for the ESS* Control System

Authentication and Authorization for the ESS* Control System. Suzanne Gysin – European Spallation Source Jaka Bobnar – Cosylab 2013-10-06. *ESS: European Spallation Source. What is ESS?. The European Spallation Source (ESS) will house the most powerful proton linac ever built.

keelia
Télécharger la présentation

Authentication and Authorization for the ESS* Control System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Authorization for the ESS* Control System Suzanne Gysin – European Spallation Source Jaka Bobnar – Cosylab 2013-10-06 *ESS: European Spallation Source

  2. What is ESS? • The European Spallation Source (ESS) will house the most powerful proton linac ever built. • The average beam power will be 5 MW which is five times greater than SNS. • The peak beam power will be 125 MW which is over seven times greater than SNS Suzanne Gysin, RBAC for ESS Control System

  3. ESS Science Case ESS is a neutron spallation source for neutron scattering measurements. Neutron scattering offers a complementary view of matter in comparison to other probes such as x-rays from synchrotron light sources. The scattering cross section of many elements can be much larger for neutrons than for photons. Neutron radiograph X-Ray Image Suzanne Gysin, RBAC for ESS Control System

  4. Where Will ESS Be Built? • ESS is located in southern Sweden adjacent to MAX-IV (A 4th generation light source) • To provide a world-class material research center for Europe Suzanne Gysin, RBAC for ESS Control System

  5. How Much Will ESS Cost? Personnel Investment Suzanne Gysin, RBAC for ESS Control System

  6. How Will ESS be Funded? with in-kind and cash contributions. Suzanne Gysin, RBAC for ESS Control System

  7. How Long Will ESS Take to Build? Suzanne Gysin, RBAC for ESS Control System

  8. Control System Core Software - requirements • Configuration Data Management • Lattice DB* • Controls Configuration DB* • Device Configuration DB • Cable DB* • Requirements documents available • In collaboration with DISCS Suzanne Gysin, RBAC for ESS Control System

  9. Control System Core Software - requirements • Control System Services • Authentication and Authorization • CSS including BOY, BEAST, and BEAUTY • Save, Compare and Restore* • Post Mortem support • Maintenance Log • Diagnostic Logging Service • Naming Convention • Database, tools, and procedures Suzanne Gysin, RBAC for ESS Control System

  10. Software Core Milestones • 2014: Q2: MS 1: Lattice Database V2 (BLED 2) Q3: MS 2: Naming convention software tools • 2015: Q1: MS 3: Controls Configuration Database MS 4: Cabling Database • 2016: Q2: MS 5:Device Configuration Database • 2017: Q1: MS 6: Vertical Test Complete Suzanne Gysin, RBAC for ESS Control System

  11. Authentication and Authorization (RBAC) • 2006-7 – implemented RBAC for LSA the LHC Control system at CERN. • Proposal/Investigation to: • Adapt RBAC to EPICS • Adapt RBAC to general resources Suzanne Gysin, RBAC for ESS Control System

  12. Role Based Access Control (RBAC) • Machine Safety • ESS’s 5 MW is powerful and potentially very damaging • RBAC protects from crippling machine damage • RBAC is proactive rather than reactive, it prevents invoking machine protection system • Machine Performance • Don’t mess with a fine tuned system • Access is denied during certain machine states Suzanne Gysin, RBAC for ESS Control System

  13. CERN’s LHC Controls RBAC extended • LHC RBAC has good qualifications • in use on a complex control system, with many diverse users, for many years. • EPICS is • popular choice for new control system project • could use a standard RBAC service • ESS controls • Uses EPICS • Needs an RBAC implantation Suzanne Gysin, RBAC for ESS Control System

  14. Two main questions … • How to extend CERN’s LHC controls RBAC to EPICS? • How to extend CERN’s LHC controls RBAC to protect general resources such as databases and software services? Suzanne Gysin, RBAC for ESS Control System

  15. RBAC at LHC Controls at CERN Authentication of the user: • User sends a request from the Application to be authenticated by the RBAC server • RBAC authenticates user via NICE user name and password • RBA returns RBAC token to Application Authorization of a request: • Application sends token to Application Server (3-tier env.) • CMW client sends token to CMW server • CMW server (on front-end) verifies token • CMW server checks Access Map for role, location, application, mode Application RBACServer • RBAC Token: • Application name • User name • IP address/location • Time of authentication • Time of expiry • Roles[ ] • Digital signature (RBA private key) CMW client CMW server Access MAP FESA Suzanne Gysin, RBAC for ESS Control System

  16. Two use cases • Use case 1: RBAC for EPICS • protect access to the Channel Access Process Variables • Use case 2: RBAC for Configuration Data • Configuration database and its Java web applications Suzanne Gysin, RBAC for ESS Control System

  17. Use Case 1: RBAC for EPICS • Karl wants to protect the klystrons. • Karl creates a role “Klystron Commissioner” with write privileges • “Klystron Crawler”is a Channel Access Client application to monitor and control the Channel Access PV’s. • “Klystron Controller”is a Channel Access Server for the klystron PV’s. Suzanne Gysin, RBAC for ESS Control System

  18. Use Case 1: RBAC for EPICS • Players: • Karl – the user • Klystron Commissioner– the role • Klystron Crawler– the application - Channel Access Client • Klystron Controller – the IOC with the relevant PV - Channel Access Server • Actions: • User Authentication • Check user name and password • Authorization of a session • Check token timeout and signature • Authorization of a request • Check token role, host id, and system parameters Suzanne Gysin, RBAC for ESS Control System

  19. RBAC for EPICS:Authentication of the user • User logs into the CA Client with the login dialog provide by the RBAC service. • If the authentication is not successful, the RBAC servers returns an error and the CA Client denies access to the User • If the authentication is successful , the CA Client receives a token with the following: • Role (Klystron Commissioner) • Location (the host id) • RBAC server digital signature encrypted with the RBAC’s private key (512 bits 64 bytes) • User Authentication is complete Suzanne Gysin, RBAC for ESS Control System

  20. RBAC for EPICS:Authorization of the session Goal: to check token parameters common to all requests only once. • check the RBAC signature with the public key • check the expiration date of the token • The CA Client connects to a CA Server via the CA handshake to establish a session. • CA Client sends token information (role, location, and signature) to the CA Server in the header. * • CA Server verifies the token’s expiration date and signature with RBAC public key.* Suzanne Gysin, RBAC for ESS Control System

  21. RBAC for EPICS:Authorization of the session • If invalid, the session is terminated and the user notified with an error. • If the token is valid, the CA Server saves the token for authorizing future requests within this session. • The user is authorized for the session Suzanne Gysin, RBAC for ESS Control System

  22. Authorization of the session issue • Requires a change in Channel Access Protocol for starting a session (i.e. sending the token information) • Requires the implementation of checks in the existing Channel Access Servers • Distribution of public key to the CA servers Work around … • Make the session authorization optional Suzanne Gysin, RBAC for ESS Control System

  23. RBAC for EPICS: Authorization of a request • The user initiates a request to set a PV using the CA Client. • CA Client sends the request to CA Server along with the role and host id. • CA Server checks the role, location, beam mode or other system parameters as defined in the .afc file • If the authorization fails, CA Server returns an error, If the authorization succeeds, CA Server fulfills request Suzanne Gysin, RBAC for ESS Control System

  24. RBAC for EPICS: Logout • User logs out by calling the RBAC logout API with the session • Session is terminated all token information is removed from the CA server Suzanne Gysin, RBAC for ESS Control System

  25. RBAC for EPICS: Issues • Time it takes to verify the token on the first handshake. • Do we want to factor out the handshake or include it in the first PV access? • Prototype the time it takes to verify token. • The handshake for starting a session is modified • A login and logout interface specific for Channel Access clients that manages the session with a modified handshake. • Make the session authorization optional • Users may have multiple roles, how to select and switch roles? • How common is this, and what is the use case? • Channel Access uses the OS user name, RBAC expects the role name in the request. • How is the user name changed to the role in the CA Client? Suzanne Gysin, RBAC for ESS Control System

  26. Use Case 2: RBAC for Configuration Data • Karl, still the RF engineer, would like to protect his klystron configuration. • The role“Klystron Commissioner” has permission to change the RF configuration. • The “Configuration Manager” is the app used to edit the configuration. • The Configuration Manager’s underlying database is the Controls Configuration Database (CCDB). Suzanne Gysin, RBAC for ESS Control System

  27. Use Case 2: RBAC for Configuration Data • Players: • Karl – the user • Klystron Commissioner– the role • Configuration Manager– the application – Glassfish web application • Controls Configuration Database – the RDB, the resource to protect • Actions: • User Authentication • Check user name and password • Authorization of a session • Check token timeout and signature • Authorization of a request • Check token role, host id, and system parameters Suzanne Gysin, RBAC for ESS Control System

  28. RBAC for configuration data: Authentication of the user • The user logs into the Configuration Manager using the login dialog provide by the RBAC service. • If the authentication is not successful, the Configuration Manager denies access • If the authentication is successful, the Configuration Manager receives a token with the following: • Role (Klystron Commissioner) • Location (the host id) • RBAC server digital signature encrypted with the RBAC’s private key (512 bits 64 bytes) • User Authentication is complete Suzanne Gysin, RBAC for ESS Control System

  29. RBAC for configuration data: Authorization of the session • The Configuration Manager ( the app) verifies the tokens expiration date and signature with RBAC public key.* • If invalid, the session is terminated and the user notified with an error. • If the token is valid, the Configuration Manager saves the token for authorizing future requests within this session. Suzanne Gysin, RBAC for ESS Control System

  30. RBAC for configuration data: Authorization of a request • The user initiates a request to set a database field using the Configuration Manager • Configuration Manager uses the database service (API) to interact with the database. • The Configuration Manager sends the role, and location along with the request to the database service. • This database service checks the role, location, and beam mode according to its access map for the specific request.* • If the authorization fails, Configuration Manager returns an error, if it succeeds the request is full filled. Suzanne Gysin, RBAC for ESS Control System

  31. RBAC for configuration data: Assumptions • The Configuration Manager checks if the token has expired every n-minutes and prompts the user for a renewal. • The Configuration Manager uses a database service, the database service is the only way to connect to the database. • The Configuration Manager has the RBAC public key • The access rights are written by the owner of the database and the algorithm to check the access rights is local to the database API. • The Configuration Manager saves the token for the duration of a session. Suzanne Gysin, RBAC for ESS Control System

  32. RBAC for configuration data: Issues • If there is a use case for queuing or forwarding requests it needs to be well understood • No standard access map: Each database service will have to implement its own request authorization code and access map. • Should the session authorization be in the application or the database service? • How does the configuration database receive the beam mode ? Suzanne Gysin, RBAC for ESS Control System

  33. Commonalities, LHC, EPICS, Databases • Authentication • RBAC server authenticates the user • protocol differs, CERN uses RBAC token, ESS may use Kerberos • RBAC server is responsible for logging authentication requests • Authorization • RBAC server manages the mapping of users, roles, and permissions for the roles • RBAC server generates the access rules for a the device server and makes them available • Access rights syntax differs: RBAC uses table, ESS uses EPICS access control file syntax • Databases have their own syntax which is not managed by RBAC Suzanne Gysin, RBAC for ESS Control System

  34. Conclusion • ESS is collaborating with DISCS to extend CERN’s LHC controls RBAC for EPICS and other software resources. • We have shown two use cases using the same steps and with the same general architecture. From this we can decide • which parts are re-usable • which parts to implement first • Next steps: • Gather use cases and requirements from ESS and DISCS collaboration • Prototype and design • Ready for development, 2014-Q1 Suzanne Gysin, RBAC for ESS Control System

More Related