Authentication and Authorization for the ESS* Control System Suzanne Gysin – European Spallation Source Jaka Bobnar – Cosylab 2013-10-06 *ESS: European Spallation Source
Suzanne Gysin, RBAC for ESS Control System What is ESS? The European Spallation Source (ESS) will house the most powerful proton linac ever built. The average beam power will be 5 MW which is five times greater than SNS. The peak beam power will be 125 MW which is over seven times greater than SNS 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System ESS Science Case ESS is a neutron spallation source for neutron scattering measurements. Neutron scattering offers a complementary view of matter in comparison to other probes such as x-rays from synchrotron light sources. The scattering cross section of many elements can be much larger for neutrons than for photons. Neutron radiograph X-Ray Image 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Where Will ESS Be Built? ESS is located in southern Sweden adjacent to MAX-IV (A 4th generation light source) To provide a world-class material research center for Europe 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System How Much Will ESS Cost? Personnel Investment 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System How Will ESS be Funded? with in-kind and cash contributions. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
How Long Will ESS Take to Build? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Control System Core Software - requirements Configuration Data Management Lattice DB* Controls Configuration DB* Device Configuration DB Cable DB* Requirements documents available In collaboration with DISCS 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Control System Core Software - requirements Control System Services Authentication and Authorization CSS including BOY, BEAST, and BEAUTY Save, Compare and Restore* Post Mortem support Maintenance Log Diagnostic Logging Service Naming Convention Database, tools, and procedures 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Software Core Milestones 2014: Q2: MS 1: Lattice Database V2 (BLED 2) Q3: MS 2: Naming convention software tools 2015: Q1: MS 3: Controls Configuration Database MS 4: Cabling Database 2016: Q2: MS 5:Device Configuration Database 2017: Q1: MS 6: Vertical Test Complete 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System DISCS Collaboration Distributed Information Services for Control Systems (Vasu Vuppala) Collaborators with BNL, FRIB, SLAC, ESS, Cosylab, IHEP. Data bases: machine configuration, lattice, measurements, alignment, cables, machine state, inventory, operations, calibration, and design parameters Services/applications include Channel Finder, Logbook, Traveler, Unit Conversion, RBAC, Online Model, and Save-Restore. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Authentication and Authorization (RBAC) 2007 – developed RBAC for LSA the LHC Control system at CERN. Proposal/Investigation how to: Adapt RBAC to EPICS Adapt RBAC to general resources 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Role Based Access Control (RBAC) Machine Safety ESS’s 5 MW is powerful and potentially very damaging RBAC protects from crippling machine damage RBAC is proactive rather than reactive, it prevents invoking machine protection system Machine Performance Don’t mess with a fine tuned system Access is denied during certain machine states � 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
CERN’s LHC Controls RBAC extended LHC RBAC has good qualifications in use on a complex control system, with many diverse users, for many years. EPICS is popular choice for new control system project could use a standard RBAC service ESS controls Uses EPICS Needs an RBAC implantation � 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC at LHC Controls at CERN Authentication of the user: User sends a request from the Application to be authenticated by the RBAC server RBAC authenticates user via NICE user name and password RBA returns RBAC token to Application Authorization of a request: Application sends token to Application Server (3-tier env.) CMW client sends token to CMW server CMW server (on front-end) verifies token CMW server checks Access Map for role, location, application, mode Application RBAC Server RBAC Token: Application name User name IP address/location Time of authentication Time of expiry Roles[ ] Digital signature (RBA private key) CMW client CMW server Access MAP FESA 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Two main questions … How to extend CERN’s LHC controls RBAC to EPICS? How to extend CERN’s LHC controls RBAC to protect general resources such as databases and software services? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Two use cases Use case 1: RBAC for EPICS protect access to the Channel Access Process Variables Use case 2: RBAC for Configuration Data Configuration database and its Java web applications 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Use Case 1: RBAC for EPICS Karl wants to protect the klystrons. Karl creates a role “Klystron Commissioner” with write privileges “Klystron Crawler” is a Channel Access Client application to monitor and control the Channel Access PV’s. “Klystron Controller” is a Channel Access Server for the klystron PV’s. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Use Case 1: RBAC for EPICS Players: Karl – the user Klystron Commissioner– the role Klystron Crawler– the application - Channel Access Client Klystron Controller – the IOC with the relevant PV - Channel Access Server Actions: User Authentication Check user name and password Authorization of a session Check token timeout and signature Authorization of a request Check token role, host id, and system parameters 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Authentication of the user User logs into the CA Client with the login dialog provide by the RBAC service. If the authentication is not successful, the RBAC servers returns an error and the CA Client denies access to the User If the authentication is successful , the CA Client receives a token with the following: Role (Klystron Commissioner) Location (the host id) RBAC server digital signature encrypted with the RBAC’s private key (512 bits 64 bytes) User Authentication is complete 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Authorization of the session Goal: to check token parameters common to all requests only once. check the RBAC signature with the public key check the expiration date of the token The CA Client connects to a CA Server via the CA handshake to establish a session. CA Client sends token information (role, location, and signature) to the CA Server in the header. * CA Server verifies the token’s expiration date and signature with RBAC public key.* 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Authorization of the session If invalid, the session is terminated and the user notified with an error. If the token is valid, the CA Server saves the token for authorizing future requests within this session. The user is authorized for the session 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Authorization of the session issue Requires a change in Channel Access Protocol for starting a session (i.e. sending the token information) Requires the implementation of checks in the existing Channel Access Servers Distribution of public key to the CA servers Work around … Make the session authorization optional 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Authorization of a request The user initiates a request to set a PV using the CA Client. CA Client sends the request to CA Server along with the role and host id. CA Server checks the role, location, beam mode or other system parameters as defined in the .afc file If the authorization fails, CA Server returns an error, If the authorization succeeds, CA Server fulfills request 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System RBAC for EPICS: Logout User logs out by calling the RBAC logout API with the session Session is terminated all token information is removed from the CA server 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System RBAC for EPICS: Issues Time it takes to verify the token on the first handshake. Do we want to factor out the handshake or include it in the first PV access? Prototype the time it takes to verify token. The handshake for starting a session is modified A login and logout interface specific for Channel Access clients that manages the session with a modified handshake. Make the session authorization optional Users may have multiple roles, how to select and switch roles? How common is this, and what is the use case? Channel Access uses the OS user name, RBAC expects the role name in the request. How is the user name changed to the role in the CA Client? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Assumptions The CA Client checks if the token has expired every n-minutes and prompts the user for a renewal. The CA Client has one connection for every CA Server The CA Client is written in Java The CA Servers have the RBAC public key (200 -1000 servers) The CA Servers receive their .afc files from the RBAC server The CA Servers save the token for the duration of a session. There is enough space for role name, the digital signature, expiration date in the CA header (512 characters) 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Use Case 2: RBAC for Configuration Data Karl, still the RF engineer, would like to protect his klystron configuration. The role“Klystron Commissioner” has permission to change the RF configuration. The “Configuration Manager” is the app used to edit the configuration. The Configuration Manager’s underlying database is the Controls Configuration Database (CCDB). 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Use Case 2: RBAC for Configuration Data Players: Karl – the user Klystron Commissioner– the role Configuration Manager– the application – Glassfish web application Controls Configuration Database – the RDB, the resource to protect Actions: User Authentication Check user name and password Authorization of a session Check token timeout and signature Authorization of a request Check token role, host id, and system parameters� 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for configuration data: Authentication of the user The user logs into the Configuration Manager using the login dialog provide by the RBAC service. If the authentication is not successful, the Configuration Manager denies access If the authentication is successful, the Configuration Manager receives a token with the following: Role (Klystron Commissioner) Location (the host id) RBAC server digital signature encrypted with the RBAC’s private key (512 bits 64 bytes) User Authentication is complete 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for configuration data: Authorization of the session The Configuration Manager ( the app) verifies the tokens expiration date and signature with RBAC public key.* If invalid, the session is terminated and the user notified with an error. If the token is valid, the Configuration Manager saves the token for authorizing future requests within this session. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for configuration data: Authorization of a request The user initiates a request to set a database field using the Configuration Manager Configuration Manager uses the database service (API) to interact with the database. The Configuration Manager sends the role, and location along with the request to the database service. This database service checks the role, location, and beam mode according to its access map for the specific request.* If the authorization fails, Configuration Manager returns an error, if it succeeds the request is full filled. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for configuration data: Assumptions The Configuration Manager checks if the token has expired every n-minutes and prompts the user for a renewal. The Configuration Manager uses a database service, the database service is the only way to connect to the database. The Configuration Manager has the RBAC public key The access rights are written by the owner of the database and the algorithm to check the access rights is local to the database API. The Configuration Manager saves the token for the duration of a session. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
RBAC for configuration data: Issues If there is a use case for queuing or forwarding requests it needs to be well understood No standard access map: Each database service will have to implement its own request authorization code and access map. Should the session authorization be in the application or the database service? How does the configuration database receive the beam mode ? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Commonalities, LHC, EPICS, Databases Authentication RBAC server authenticates the user protocol differs, CERN uses RBAC token, ESS may use Kerberos RBAC server is responsible for logging authentication requests Authorization RBAC server manages the mapping of users, roles, and permissions for the roles RBAC server generates the access rules for a the device server and makes them available Access rights syntax differs: RBAC uses table, ESS uses EPICS access control file syntax Databases have their own syntax which is not managed by RBAC 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Conclusion ESS is collaborating with DISCS to extend CERN’s LHC controls RBAC for EPICS and other software resources. We have shown two use cases using the same steps and with the same general architecture. From this we can decide which parts are re-usable which parts to implement first Next steps: Gather use cases and requirements from ESS and DISCS collaboration Prototype and design Ready for development, 2014-Q1 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Action items A&A for Channel Finder – Bob D. G.Shen Need the access map in the applications, to discern protection in the app. - Gabrielle. Single sign on – Gabrielle Token forwarding, restore for example, check transaction management – query resource if the entire transaction is ok. – Gabrielle 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System A1 and A2 in RBAC A1 = Authentication : Authentication means the user identity has been verified with a shared secret usually the password. At CERn, RBAC authenticates users via NICE – CERN’s central credential service Kerberos could be used for ESS. Challenge is the authentication of users from many different labs (federation) A2 = Authorization: Authorization means that the user has been granted the authority to execute a particular action At CERN authorization applies to settings in the front ends, the authorization is granted to a particular role 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System RBAC with EPICS A1: User sends a request from the Application to be authenticated by the RBAC server RBAC authenticates user via user name and password RBA returns token to application Kerberos is a good candidate for this. A2: The token is verified on initiating a session between Client and Server. The request is verified by the Server at the time it is sent. Before Runtime: The RBAC server generates an access control file (access map) for a Server Application Channel Access Client RBAC Server Channel Access server IOC access configuration file (.acf) Public Key 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Differences: Where and when the access rights are checked: EPICS: the access rights are sent by the CA* server to the CA client at the time of the connection. Both the CA client is aware of the access rights, and the CA server checks the access rights. RBAC: the access rights are kept on the middleware (CMW) server and checked by the server. Syntax of the access map: EPICS: a Channel Access ‘access control file’ syntax is used RBAC: an ASCII table is used Authentication Protocol: EPICS: proposed protocol is Kerberos ** proposal RBAC: NICE authentication *CA = Channel Access 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Differences: Who: Users and roles EPICS uses the userid of the channel access client. RBAC uses the roles distributed in the RBAC token Where: Authentication by location: EPICS uses the hostid where the user is logged on. This is the host on which the channel access client exists. RBAC uses the application name and the IP address. This enables the authentication by location i.e. control room. What: Settings and PV EPICS protects each individual fields of records. Each record has a field containing the Access Security Group (ASG) to which the record belongs. RBAC protects each setting in the FESA database. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System
Suzanne Gysin, RBAC for ESS Control System Differences When: beam mode and current values as variables EPICS: Access rules can contain input links and calculations similar to the calculation record, thereby including current values of process variables as part of access privilege. RBAC is able to protect the devices relative to the beam mode. This is programmed in the CMW. * CMW = Central Middle Ware 10/05/2013 Suzanne Gysin, RBAC for ESS Control System