Skip to content
  • Leigh B Stoller's avatar
    Two co-mingled sets of changes: · 85cb063b
    Leigh B Stoller authored
    1) Implement the latest dataset read/write access settings from frontend to
       backend. Also updates for simultaneous read-only usage.
    
    2) New configure options: PROTOGENI_LOCALUSER and PROTOGENI_GENIWEBLOGIN.
    
       The first changes the way that projects and users are treated at the
       CM. When set, we create real accounts (marked as nonlocal) for users and
       also create real projects (also marked as nonlocal). Users are added to
       those projects according to their credentials. The underlying experiment
       is thus owned by the user and in the project, although all the work is
       still done by the geniuser pseudo user. The advantage of this approach
       is that we can use standard emulab access checks to control access to
       objects like datasets. Maybe images too at some point.
    
       NOTE: Users are not removed from projects once they are added; we are
       going to need to deal with this, perhaps by adding an expiration stamp
       to the groups_membership tables, and using the credential expiration to
       mark it.
    
       The second new configure option turns on the web login via the geni
       trusted signer. So, if I create a sliver on a backend cluster when both
       options are set, I can use the trusted signer to log into my newly
       created account on the cluster, and see it (via the emulab classic web
       interface).
    
       All this is in flux, might end up being a bogus approach in the end.
    85cb063b