SRSS Addon: FLButselector
From Sun Ray User Group Wiki
Contents |
SRSS Kiosk mode overview
The Sun Ray Server Software supports a Kiosk Mode (previously known as CAM or Controlled-Access Mode).
A Kiosk is a type of server session opposed to a fully interactive user's "Regular" desktop session running on the Sun Ray server. The server administrator predefines a set of applications running in a Kiosk session. The Kiosk applications are executed on the Sun Ray server in the context of an unprivileged Unix user account (typically utcu* or utku*) with a temporary home directory which is created from the template for the session and destroyed when the session terminates.
This is useful in unauthenticated constrained environments, such as information kiosks in libraries, or when the Sun Ray server is used merely as an anonymous connection tier to deliver Windows remote desktops (RDP) or Unix desktops (Xnest, VNC).
Sun Ray Administration GUI allows the administrator to configure the DTUs (without an inserted smartcard) to spawn either Kiosk/CAM sessions, no sessions or NSCM sessions. CAM in SRSS 3.x was somewhat limited in that it only allowed all of the users' registered tokens to spawn either Regular sessions or CAM sessions. Kiosk mode in SRSS 4.x allows registered tokens to be individually assigned to Regular or Kiosk sessions (or take the server's default type of session).
Now, the Sun Ray Server Software differentiates end-users by tokens they present to the server. A token can be physical one (i.e. an individual smart card), a logical one (the login/password pair in NSCM mode) or a pseudo-token (based on MAC address of the Sun Ray DTU client). Individual tokens can be registered in the Sun Ray datastore with some additional information fields. Sun Ray DTUs can also be registered in another part of the datastore.
One drawback of Kiosk/CAM mode in the Sun Ray architecture is that the server only supports one Kiosk mode configuration. As a result, a number of software integration projects were developed in the past couple of years (and sometimes opensourced as community projects) which allow creation of a special "broker" Kiosk configuration. Such Kiosk-mode broker software takes additional information from its configured sources and spawns different end-user applications for different end-users.
The configuration information is most often stored in the "Other Info" field of the registered token or DTU descriptions of the Sun Ray datastore. This was any changes are automatically propagated to all servers in the fail-over group (FOG).
Such projects include (not limited to this list, additions welcome):
- FLButselector as described below and
FLButselector
The project currently known as FLButselector is positioned as an "application-selection framework" for SRSS Kiosk/CAM modes.
Beside simply executing a specified end-user application, as a typical CAM configuration would, this script-based framework also determines the current session's parameters (registered apps, user's real name) and, at the very least, allows to create customized kiosk sessions (for example, pre-set the Windows user name and domain name in the Sun Ray Windows Connector).
One interesting feature of FLButselector is that the same logic can be applied to filter the startup of Regular sessions in order to spawn specific applications, configure the home directory or some temporary files, etc. In a particular confguration, this filter can abort the Regular session if the user logged in with a name different from the smartcard token's registered owner.
It was developed for in-house use and some customers' deployment by Jim Klimov, CTO of JSC COS&HT (Center of Open Systems and High Technologies, Russia) with many ideas derived from the SunRay-Users community mailing list and ThinkThin blogs. It was the first solution in this class known to the author, so it was only reasonable to open-source this project after it was tested, packaged and documented, and put it out on the community SVN repository.
The product (core logic as well as documentation and some sample wrapper scripts) is packaged in a number of Solaris packages for ease of deployment. A ZIPfile with the packages is also available in the Sun Ray Community SVN repository.
Download and Install
- Current version is 1.1.0 packaged for Solaris Jun 13, 2008
- To install:
- Unzip
- cd into the package directory
- Run for F in FLB*pkg.gz; do gzcat "$F" > /tmp/flb.pkg && pkgadd -G -d /tmp/flb.pkg; done
- cd /opt/flb/doc to read more detailed documentation of utselect/library logic and individual wrapper scripts. This documentation is also available online in SVN.
- cd /opt/flb/etc to copy the default config files (from *.conf to *.conf.local) and create your very own customized Kiosks ;)
- For systems other than Solaris you might need to download the individual files from the sources in SVN. Due to little testing, problems under Linux are rather expected. Contributed fixes for these problems are desired in SVN ;)
FLButselector basic structure
FLButselector contains some core "libraries", the SRSS Kiosk session executable script "utselector", and a number of "wrapper scripts" (provided in the package as well as developed by customers for themselves).
It is a set of scripts written in bash shell. Customization is simple - by creation of wraper scripts by customers, and more often by simply making custom configuration files (*.conf.local) based on sample/default (*.conf) files.
The FLButselector package includes some rather large installation documentation and architecture text files. I'd like to give a rather short overview below, in order to interest the casual readers into trying out the package for themselves ;)
The "libraries" serve as a sort of API between the SRSS command-line administration tools and any logic between FLButselector's core or wrapper scripts. They are shell-script include files which parse available information about the session environment and set a large number of shell variables with retrieved information.
The libraries getterm_info.inc, getterm_srmac.inc and getuser_regtoken.inc parse available information about the registered token and DTU. The library getuser_regtoken_checkinfo.inc can determine (and set) whether the session is a Regular or a Kiosk/CAM one, and whether the Unix user login name matches the registered information.
An important special library utselect_classify_situation.inc, as its name implies, "classifies the situation". Based on the environment, it sets the UTSELECTOR_SITUATION variable which allows the logic in other scripts to quickly determine whether the session is a Kiosk or Regular one, whether a token was presented or not, and whether the token was configured "correctly".
FLButselector includes an SRSS Kiosk session executable script called "utselector". This script can be configured as the Kiosk/CAM mode session's critical application (tyically under the compact CDE window manager), or it can be symlinked to /usr/dt/config/Xsession.d/0005.utselector to become an X11 session startup filter and act (differently) upon both Kiosk and Regular sessions.
According to UTSELECTOR_SITUATION and customizable configuration settings, the scripted logic in utselector can, for example, reject misconfigured tokens with a descriptive error message or present some default Kiosk sessions (via specified wrapper scripts). These defaults can be configured in the config files as well as over-ridden in SRSS datastore descriptions of the specific Sun Ray DTU.
Typically the UTSELECTOR_SITUATION is "KC" (Kiosk-Correct) or "KN" (Kiosk-NoToken). In this case the wrapper script name is taken from the pipe-separated sub-fields in the token's or DTU's "Other Info" field, and the wrapper script is executed.
The "wrapper scripts" are generally executables which live in the /opt/flb/bin/ directory, which can be binary programs or scripts. They can execute any logic and ultimately launch end-users' applications.
In case of the wrapper-scripts provided with FLButselector package, there is an easily customizable version of the three-button message-box selector (originally by ThinGuy), an Acrobat Reader launcher to present the specified PDF form, a browser launcher (firefox/mozilla/opera), an uttsc and an rdesktop wrapper which connects to a Windows server specified in the Token parameters, and an original "uttsc-select" script which presents a list of preconfigured Windows servers (and optionally a line to enter a server name) to connect to.
The wrapper scripts, if they are indeed scripts, can also source the FLButselector "libraries" to fetch environment information and classify the situation. This allows to have custom features based on this common API even in applications launched from the Kiosk session's context menu.
Acknowledgements
I would like to express my thanks again to all the cool people who made this possible - developers of SRSS, the Sun employees active in blogs and in the mailing list, and particularly to Stoyan Angelov for maintaining and evolving the Sun Ray Community infrastructure.
I hope that this overview was short enough to keep you concentrated and informative enough to get you interested.
If there's something you'd like to change - this is a Wiki, after all... ;)
//Jim Klimov
