-
Leigh B Stoller authored
and always import into the GeniSlices project. Previously, images were being imported into the project of the slice experiment, by the geniuser. When PROTOGENI_LOCALUSER is turned off, this change does not affect anything, since it is still geniuser doing the import, and all imported images are consider global and thus cross-project usable. So where we stick the image is not really important, but putting all geni imported images in one place is more convenient (sure makes it easier to find them). But more important, this change is backwards compatible with existing imports. Later, if the source image is updated, and a new user (in another project) uses that image, the update (pulling the updated image scross) is done by geniuser (who is the leader of all geni holding projects), who has write access to the image whatever project it is in. What about when PROTOGENI_LOCALUSER is turned on? There are actually two sub cases here. 1. The user is using an aggregate in a different domain then their SA. Say, when a Cloudlab Portal user is creating an experiment at the Clemson cluster (which has PROTOGENI_LOCALUSER=1). In this case, clemson does not know anything about the user anyway, and so its pretty much like the case described above since everything is done by the geniuser in holding projects owned by the geniuser. 2. The user is using the same aggregate as their SA. Say, when a Cloudlab Portal user is creating an experiment at the Emulab cluster. In this case Emulab knows the user and project, and everything is done as that user in the actual project (there is no geni holding project). If we import the image into that project as the actual user, we are okay at first; as above, all images are global and cross-project, so anyone can use it. But what if the source image changes and then a different user in a different project tries to use it? The backend is going to try to import the new version, but that fails cause the current user does not have write access to the image. Hence the real reason for this change; if always import into GeniSlices as geniuser, we do not get into this permission problem.
0c653722