1. 14 Mar, 2017 1 commit
  2. 26 Jul, 2016 1 commit
    • Leigh Stoller's avatar
      Add new status for users, "inactive". Mostly to support not having so · 68e019a5
      Leigh Stoller authored
      many ZFS mounts on ops. which on the Mothership is on the order of 8000
      or so. Deactivate/reactivate a user with:
      
      	boss> wap tbacct deactivate -u <user>
      	boss> wap tbacct reactivate -u <user>
      
      Deactivate will set the shell to nologin and set the ZFS mountpoint=none.
      Reactivate will undo that. Note that these do not HUP mountd.
      68e019a5
  3. 09 Mar, 2016 1 commit
  4. 01 Feb, 2016 1 commit
  5. 10 Nov, 2015 1 commit
  6. 22 Apr, 2015 1 commit
  7. 02 Apr, 2015 1 commit
  8. 01 Apr, 2015 1 commit
    • Leigh Stoller's avatar
      Tighten up permissions granted to geni users coming from the GPO Portal. · 105c42e1
      Leigh Stoller authored
      We now ask the portal for a the user's project membership list, and if the
      user is not a member of any (unexpired) projects, we do not allow them to
      create experiments (or much of anything else) in the Cloud Portal. I did
      this by setting the local holding project trust to "user" and setting the
      webonly bit in the users table. The user can use the picker to see public
      profiles, but the create button tells them no dice, go join a project at
      the GPO portal.
      
      We make the project check each time the user logs in via the trusted
      signer.
      105c42e1
  9. 31 Mar, 2015 1 commit
  10. 15 Feb, 2015 1 commit
  11. 28 Jan, 2015 1 commit
  12. 27 Jan, 2015 1 commit
  13. 12 Jan, 2015 1 commit
  14. 24 Sep, 2014 1 commit
  15. 27 Aug, 2014 1 commit
    • Leigh Stoller's avatar
      Large set of changes for using the Geni trusted signer tool, to · 980f6cbd
      Leigh Stoller authored
      authenticate Geni users to CloudLab (who do not have Emulab accounts).
      CloudLab users must have an account to do anything (unlike APT which allows
      guest users). But instead of requiring them to go through the Emulab
      account creation (high bar), let then use their Geni credentials to prove
      who they are. We then build a local account for that new user, and save off
      the speaksfor credential so that we can act on their behalf when talking to
      the backend clusters (and their MA to get their ssh keys).
      
      These users do not have a local account password, so they cannot log into
      the web interface using the Emulab login page, nor do they have a shell on
      ops.
      
      Once authenticated, we put the appropriate cookies into the browser via
      javascript, so they can use the Cloud (okay, APT) web interface (they
      appear logged in).
      
      I make use of the nonlocal_id field of the users table, which was not being
      used for anything else. Officially, these are "nonlocal" users in the code
      (IsNonLocal()).
      
      When a nonlocal user instantiates a profile, we use their speaksfor
      credential to ask their home MA for their ssh keys, which we then store in
      the DB, and then provide to the aggregate via the CreateSliver call.
      Note that no provision has been made for users who edit their profile and
      add keys; I am not currently expecting these users to stumble into the web
      interface (yet).
      980f6cbd
  16. 21 Aug, 2014 2 commits