FRIB Database Security

This material is based upon work supported by the U.S. Department of Energy Office of Science under Cooperative Agreement DE-SC0000661.Michigan State University designs and establishes FRIB as a DOE Office of Science National User Facility in support of the mission of the Office of Nuclear Physics.

FRIB Database Security

V. Vuppala,Controls DB Meeting

Security Requirements Access Control Specification Access Control Realization Security Architecture Design Concerns Summary

Overview

, Slide 2

General• Authentication and Authorization• Role-based access control• Delegation

Structural• Controlled access to components, their attributes and relationships• Area Managers are responsible for structural data

Behavioral or Operational• Controlled access to Operation of the Accelerator• Not managed by area managers• Operations Group responsible for Controls System (CS)• Experimental Group responsible for CS in Experimental Areas• Dynamic Access Control (Check-in/out Model)

Services• Controlled access to application functionality

Security Requirements

V. Vuppala,Controls DB Meeting, Slide 3

Information Architecture

, Slide 4V. Vuppala,Controls DB Meeting

Application layer• Operator interfaces• High-level applications• Libraries

Service layer• Access to data• Programming Interface

Data layer• Managed data• Instrument data• No direct access

Example


S1

S2

S3Services

Application

1. What is the PV for XXX?

2. PV is PS01

3. Add Log E

ntry ‘YY

Y’ to L1

4. Done

5. ca

put P

S01 10

6. Don

e

Persons, Groups, Roles Core

• Grouping of Components Based on Areas• Areas Associated with Roles• Grouping of Components Based on Operations• Operational Groups Associated with Roles• Develop a Tool to Specify Authorization and Delegation

Services• Each Application Has Its Own Authorization Data

Access Specification


Roles


class Data Model

Role

«column»*PK ID :INTEGER Name :CHAR(64)

«PK»+ PK_Role(INTEGER)

Person

«column»*PK ID :INTEGER Name :CHAR(64)* LoginID :CHAR(32)

«PK»+ PK_Person(INTEGER)

«unique»+ UQ_Person_LoginID(CHAR)

Group

«column» ID :INTEGER Name :CHAR(64) Description :VARCHAR(255)

0..* 0..*

0..*

0..1+parent 0..*

{acyclic}

+child 0..*

0..*

0..1

Authorization: Core Structural


class Data Model

Configuration-Component

«column»*PK ID :INTEGER* Qualifier :CHAR(1) Instance :CHAR(4) Operational :BOOL

«PK»+ PK_Configuration-Component(INTEGER)

AreaElement

«column»*PK ID Name :CHAR(64)

«PK»+ PK_AreaElement()

Role



AreaPriv s

- Description :char- privilege :int

0..1

0..*

+Parent 0..1

{acyclic}

+Child 0..*

0..*0..*

Authorization: Core Operational


class Data Model

Configuration-Component

«column»*PK ID :INTEGER* Qualifier :CHAR(1) Instance :CHAR(4) Operational :BOOL

«PK»+ PK_Configuration-Component(INTEGER)

Role



OpsElement

«column» ID :INTEGER Name :CHAR(64) Description :VARCHAR(255)

OpsPriv s

- Description :char- Privileges :int

0..*

0..*

0..10..*

Access Control: Realization


S1

S2

S3

1. What is the PV for XXX?

[Token]

2. PV is PS01

3. Add Log E

ntry ‘YY

Y’ to L1.

[Token]

4. Done

5. ca

put P

S01 10

.

[Toke

n]

6. Don

e

Auth

Credentials

Token

Channel Access Does Not Support Tokens• Develop a Gateway?

Auth Service • Use Kerberos or Develop New Service• Single Point of Failure: Redundant Servers

Each Service Needs to Provide Security Configuration Tool• No Good Generic Way to Provide Service-Level Authorization

What About Dynamic Access Control?• Develop an Application for Reservation and Release (Check-in/out)

Concerns


Authentication/Authorization Service Ticket Based System Persons, Groups, Roles Component Groupings for Core Security Specifications Service-Level Access Control left to Services Access Controls on IOCs Tools

• To Specify Core Authorizations• To Specify Service-Level Authorizations• To Reserve and Release Components

Architecture


Security Must Be Integrated Into DesignNot Very TrivialNo PrecedenceWork In Progress

Summary

, Slide 13V. Vuppala,Controls DB Meeting

Documents

FRIB Database Security