-
Leigh B Stoller authored
1) Implement the latest dataset read/write access settings from frontend to backend. Also updates for simultaneous read-only usage. 2) New configure options: PROTOGENI_LOCALUSER and PROTOGENI_GENIWEBLOGIN. The first changes the way that projects and users are treated at the CM. When set, we create real accounts (marked as nonlocal) for users and also create real projects (also marked as nonlocal). Users are added to those projects according to their credentials. The underlying experiment is thus owned by the user and in the project, although all the work is still done by the geniuser pseudo user. The advantage of this approach is that we can use standard emulab access checks to control access to objects like datasets. Maybe images too at some point. NOTE: Users are not removed from projects once they are added; we are going to need to deal with this, perhaps by adding an expiration stamp to the groups_membership tables, and using the credential expiration to mark it. The second new configure option turns on the web login via the geni trusted signer. So, if I create a sliver on a backend cluster when both options are set, I can use the trusted signer to log into my newly created account on the cluster, and see it (via the emulab classic web interface). All this is in flux, might end up being a bogus approach in the end.
85cb063b