#31: Authentication

We are excited to introduce the new test phase of Authentication in SA1.

Access to a GuiServer will now require logging in with a facility account (LDAP). One key update is that functional accounts will be limited to OPERATOR privileges. However, users can temporarily elevate their access level during a GUI session by logging in with a personal LDAP account. Each login to the GuiServer will generate a session-identifying token, which will be logged. All relevant Gui client actions will also be recorded, along with the token, in an audit file on the GuiServer machine. The link between the token and the user will be stored in an external database for a specified time period.

Please note that during this testing phase, we are focusing solely on user experience and interface, and no user login information will be stored.

Authentication Server Workflow

The Karabo Authentication Server login form is available under the following domain .

The server is accessible from both the office and control network.

When launching KaraboGui (Version 2.20.X or higher) and attempting to connect to a GuiServer device with authentication enabled, an authentication login panel will appear. By clicking on Open Access Form, the user is directed to the login page (1). Successfully logging in with LDAP credentials (2) generates an access code (3), which can then be entered in the GUI login panel (4) to establish a connection to the GuiServer.

Authentication workflow

Authentication workflow

Frequently Asked Questions

How many access levels does Karabo have?

For historic reasons Karabo has 5 different access levels

  • OBSERVER

  • USER

  • OPERATOR

  • EXPERT

  • ADMIN

The OBSERVER level corresponds to read-only access. Any reconfigurable parameter or Slot (Button) in Karabo should require at least USER access. Privileges increase progressively from top to bottom in the list.

Why do we have the access level USER?

The USER access level is the first level that permits reconfiguration of parameters. Historically, it was intended for users or operators from external facilities who were assigned the USER access level. However, this level may no longer serve a significant purpose and could be phased out in the future.

Remember Me - What is happening?

The Remember Me feature helps eliminate the need for repeated logins. Designed specifically for Instrument Control Hutches or BKR, this functionality allows each client computer to authenticate just once, as tokens are shared and refreshed automatically across clients. An authenticated client PC can then be used on any GuiServer device that requires authentication.

How can I remove my stored information?

It is possible to remove user login information with the menu bar: File -> Clear User Login

Clear Login Action

Clear Login Action

Why are group accounts limited to OPERATOR?

Instrument group accounts remain permanently logged in for daily operations. Since control hutches or the BKR may be open and accessible, these accounts should be restricted to the OPERATOR access level. If commissioning parameters (requiring EXPERT or ADMIN access) need to be modified, a temporary escalation with a properly authenticated personal account is possible.

Which priviliges do I have?

Access levels are determined by group memberships and the KARABO_TOPIC of the GuiServer device. In the initial setup, instrument group memberships inherit privileges within their respective SASE.

Examples:

  • If your account belongs to the fxedata or exfl_fxe group, you have ADMIN rights in FXE, SA1, and LA1, and OPERATOR rights in SPB, etc.

  • If your account belongs to the spbdata or exfl_spb group, you have ADMIN rights in SPB, SA1, and LA1, and OPERATOR rights in FXE, etc.

  • If your account belongs to the la1data or exfl_la1 group, you have ADMIN rights in SA1 and LA1.

  • If your account belongs to fxedata or la1data, your rights are the same as the fxedata case above.

  • If your account belongs to the sa1data or exfl_sa1 group, you have ADMIN rights in SPB, FXE, SA1, and LA1.

  • If your account belongs to the exfl_vac group, you have ADMIN rights in SPB, FXE, SA1, and LA1.

Temporary Session - Duration

The maximum duration of a temporary session is configurable on the gui server, with a default of 1 hour. Once this time expires, the temporary session ends, and the client reverts to their previous maximum access level.

What user information is stored in the future?

Every client login to the GuiServer device is logged in a rotating file log, where only the access token is stored. From that point on, all client actions are logged using the access token in a separate AUDIT logging mechanism. The username associated with the access token is stored in an external database. This is not the case for the the test phase.

Additionally, each Karabo device has a lastCommand property to track an action and its source, e.g. whether the action was triggered by the GuiServer or another device. This information is stored in the Influx database.

Can I see or have access to personal login data?

No.

Who decides which Device Properties have which access level?

The device developer determines the access levels for each parameter. Ideally, commissioning parameters that are rarely used should have a higher access level. On the other hand, operational parameters that are needed for daily routines should not require EXPERT access or higher. However, there are currently no formal guidelines in place.

By default, read-only properties are assigned an OBSERVER access level, while reconfigurable properties are set to USER.

Which access roles are available in KaraboGui

The following access roles are available in the karaboGui. Since this is fairly new, they are sometimes not fully enforced, future versions might be more restrictive.

  • AccessRole.SCENE_EDIT: EXPERT,

  • AccessRole.MACRO_EDIT: OPERATOR,

  • AccessRole.PROJECT_EDIT: OPERATOR

  • AccessRole.SERVICE_EDIT: OPERATOR

  • AccessRole.INSTANCE_CONTROL: OPERATOR

The core idea is that various editing functions, as well as instance or service control, require an OPERATOR access level.

Currently, an exception to this rule is scene management, such as activating the design mode of a scene for modification, which is restricted to clients with EXPERT access. In the future, features like project editing, macro editing, and service (device servers) and device control, such as shutdowns, should also be restricted to the OPERATOR access level.