Access Control in the ATLAS TDAQ Online Cluster

ATLAS (A Toroidal LHC Apparatus) is a general-purpose detector for studying high-energy particle interactions: it is the largest particle detector experiment at CERN and it is built around one of the interaction points of the proton beams accelerated by the Large Hadron Collider (LHC). The detector generates an impressive amount of raw data: 64 TB per second as a result of 40 MHz proton-proton collision rate with 1.6 MB data for each such event. The handling of such data rate is managed by a three levels Trigger and Data Acquisition (TDAQ) system, which filters out the events not relevant from physics research point of view and selects in the end in the order of 1000 events per second to be stored for offline analyses. This system comprises a significant number of hardware devices, software applications and human personnel to supervise the experiment operation. Their protection against damages as a result of misuse and their optimized exploitation by avoiding the conflicting accesses to resources are key requirements for the successful running of ATLAS. At the same time the number of users accessing the experiment resources from CERN and external institutes is considerable: the experiment is a collaboration involving roughly 3,000 physicists at 174 institutions in 38 countries. Additionally, the users are characterized by a high mobility between presence on site and at home universities locations. All these operation conditions call for an access control mechanism to protect the ATLAS resources. This thesis presents our contribution to the analysis, design, implementation and deployment of the access control solution for the protection of ATLAS Online cluster and the TDAQ software running on it. The authors were involved in the research activity at CERN from 2004 to 2008 in the ATLAS System Administration team and the TDAQ Controls and Configuration team. The access control solution we worked on is a step forward from the model based on group accounts used in past experiments at CERN to the model characterized by individual user accounts and permissions assignment to users by means of roles and roles hierarchy. Hence the access control solution for the ATLAS Online cluster revolves around the Role Based Access Control (RBAC) model which fulfills the ATLAS experiment’s requirements for action traceability and accountability and offers the flexibility to accommodate the high number of users. The original contribution of this thesis consists in designing a solution on top of RBAC model to address in a coherent way the protection needs from the cluster system administration level (remote access, login on the nodes, restrict access to tools execution on the nodes) to the TDAQ software level (TDAQ components protecting their functions). At the same time, the solution is open for integration with other experiment systems through the command line client and Application Programming Interface offered in Java and C++. Our work focuses on the authorization of user actions based on the access control policies, while the user authentication function is handled by the system administration specific services. The solution applies the RBAC concepts at system administration level with Linux traditional security mechanisms for seamless integration in the Scientific Linux CERN running on the cluster nodes. At the application level, we developed a dedicated service (TDAQ Access Manager) to serve the TDAQ Software components in managing the access control policies and to take the authorization decisions. We built this service on top of the OASIS XACML industry standard while paying special attention to the critical non-functional aspects like availability, performance, scalability and monitoring. We finished the deployment in production in time for the first beam accelerated in LHC in autumn 2008. The setup currently consists in a high availability cluster of 6+1 nodes running the TDAQ Access Manager Service for ~3800 user accounts and ~440 roles. Each node of Access Manager Service is able to handle ~800 authorization requests per second from TDAQ software running on the ~3000 nodes of the ATLAS Online cluster. It is integrated with the system administration monitoring system for continue surveillance of service availability and performance. This production setup has run successfully in the last 4 years and has allowed ATLAS to take data steadily and efficiently, leading to the first major discovery: the Higgs boson.