Download presentation
Presentation is loading. Please wait.
Published byRosanna Knight Modified over 8 years ago
1
LDAP For Alarms and Authorization Matthias Clausen (DESY)
2
Overview Please find LDAP Schema File and LDIF Files on the CSS Web Site: http://css.desy.de/content/e428/e262/e260/index_eng.html LDAP Screen Dumps were created using Apache Directory Studio and JXplorer
3
LDAP Tree Currently the LDAP Tree consists of FOUR main Branches: EpicsControls –Structured List of ALL IOCs with ALL records. Reference for Namespace Browser Location to persist Alarm States EpicsAlarmcfg –Alh-Like Alarm Tree (support for interactive configuration in CSS) EpicsAuthorize –Applying (access)rolls to Users EpicsAuthorizeID –Applying Authorize-IDs to Access-Rolls
4
EpicsControls Tree is filled by: Based on the dbl -> iocName.db files –Initially a set of scripts created LDAP entries –No a Java program is running periodically checking for new/changed *.db files and updates the LDAP tree IOC-Name / IP-address is set by: Script/ Program Record Entries (Alarm-States) are written by: InterConnection-Server (Alarm-States read from IOC) Set to invalid if IOC is disconnected from IC-Server. CSS Alarm-Table and CSS Alarm-Tree on Alarm Acknowledge. Record Entries (Alarm-States) are read by: CSS Alarm-Tree to display current alarm states Note: Each record MUST be defined in EpicsControls and MAY be defined multiple times in EpicsAlarmcfg!!
5
EpicsControls Tree Structure: Ou=EpicsControls –efan=TTF (facilityName) ecom=EPICS-IOC (componente) –econ=ttfKryo (controller) »eren=recordName (recordName)
6
EpicsControls Subcomponents epicsController –epicsIPAddress Important to find (logical) IOC name for an established IP- Connection. E.g. by interconnectionServer. –ecom Important to find the IOC name for a given record name Save changes in iocName.ca Use caPut to write iocName.ca back to IOC at the end of an IOC reboot. Note @DESY: IOCs always keep their logical name! IOC hardware (e.g. VME boards) always keeps the IP address of the HARDWARE. Thus IP addresses of (logical) IOCs may change!
7
EpicsControls Subcomponents epicsRecordName (eren) –epicsAlarmAcknTimeStamp –epicsAlarmHighUnAckn Highest unackn. alarm –epicsAlarmSeverity –epicsAlarmStatus –epicsAlarmTimeStamp
8
EpicsAlarmcfg Tree is filled by: Manual Entries using the CSS Alarm-Tree interactively (next slide) Automated Entries retrieved from the alh config files Record Entries (Alarm-States) are written by: InterConnection-Server (Alarm-States read from IOC) Set to invalid if IOC is disconnected from IC-Server. CSS Alarm-Table and CSS Alarm-Tree on Alarm Acknowledge. Record Entries (Alarm-States) are read by: CSS Alarm-Tree to display current alarm states Alarms can only be written to those records in the EpicsAlarmcfg which have been defined here! Note: Each record MUST be defined in EpicsControls and MAY be defined multiple times in EpicsAlarmcfg!!
9
Configuring the Alarm-Tree (EpicsAlarmcfg) Adding Components (root-nodes) and records (leaves) to the Alarm- Tree interactively Changes are stored in the current LDAP server Configuring Root Nodes (logical structure) and Leaves (records) using the default Eclipse property view Root Nodes and Leaves share the same Properties Properties: Alarm Display (Css Display) Display (Css Display) Help Guidance (text) Help Page (http address) Strip Chart (dataBrowser config file)
10
EpicsAlarmcfg Subcomponents epicsRecordName (eren) –epicsAlarmAcknTimeStamp –epicsAlarmHighUnAckn Highest unackn. alarm –epicsAlarmSeverity –epicsAlarmStatus –epicsAlarmTimeStamp –epicsCssAlarmDisplay –epicsCssDisplay –epicsCssStripChart –epicsHelpGuidance –epicsHelpPage
11
EpicsAlarmcfg Sub Functionalities Alarm Acknowledge From Alarm-Tree From Alarm-Table CSS Ackn. LDAP JMS CSS Acknowledge is DIRECTLY written to LDAP persistence Acknowledge-JMS Message is created to send ackn. to ALL CSS instances to set ackn.-flag (even in the CSS instance which generated the JMS message!) correctly: CSS instances register for the ACK Topic
12
EpicsAuthorize Tree is filled by: Automated Entries created by the DESY registry –Computer Accounts and access grants are defined here centrally No Manual Entries allowed Entries are read by: CSS Security plugin
13
EpicsAuthorize Tree Structure: Ou=EpicsAuthorize –ou=Css (organizational unit) ou=Css (CSS group authorization(group)) –eagn=Admin (Admins of Css group(roll)) »eaun=claus epicsAccesUserName (DESY: DESY account)
14
EpicsAuthorizeID (not yet functional) Tree is filled by: For now: only manual entries CSS-Plugin is planned to ease entering new IDs Entries are read by: CSS Security plugin
15
EpicsAuthorizeID Tree Structure: Ou=EpicsAuthorizeID –ou=SDS (organizational unit) eain=remoteManagement (ID Name) –eair=admin (roll) –eaig=css (group)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.