| | 1 | General |
| | 2 | |
| | 3 | * There is one course per project. |
| | 4 | * The project_head is the primary instructor |
| | 5 | * Anybody with group_root permission is assumed to be a TA |
| | 6 | |
| | 7 | 1. Instructors and TA's are allowed to sudo to any student on the ops node |
| | 8 | Instructors may sudo to a TA but not converseley. |
| | 9 | |
| | 10 | 2. Experiment Permissions |
| | 11 | |
| | 12 | When an experiment is created in the default group, only the |
| | 13 | student's home directory and all of /proj/<Course> are exported to the |
| | 14 | nodes in the experiment. |
| | 15 | |
| | 16 | If the experiment is not in the default group, normal export |
| | 17 | permissions apply. |
| | 18 | |
| | 19 | The ssh public keys of the instructor and TA's are put into the |
| | 20 | root .ssh/authorized_keys file so that the instructors can log |
| | 21 | into any node to grade the experiment (as class exercise) or |
| | 22 | debug it. |
| | 23 | |
| | 24 | 3. Web Interface |
| | 25 | |
| | 26 | Instructors and TA's are allowed to Freeze, Thaw and SU as a student |
| | 27 | and edit a student's profile |
| | 28 | |
| | 29 | 4. Recycleable student accounts. |
| | 30 | |
| | 31 | Student accounts are not created in the normal manner (create |
| | 32 | an account, apply to join an existing project) - instead: |
| | 33 | |
| | 34 | A stem is chosen for the project, say in the case of the |
| | 35 | project USC558L, sc558, and then a number of accounts are |
| | 36 | generated of the form sc558[a-z][a-z] as many are need |
| | 37 | to accomodate the students in the class. |
| | 38 | |
| | 39 | The instructor provides a list of email address, and the |
| | 40 | one account is assigned per email address. |
| | 41 | |
| | 42 | At the end of the semester, the student accounts are wiped - |
| | 43 | all experiments headed by the student are terminated, all files |
| | 44 | underneath the students home directory are deleted, the passwords |
| | 45 | changed to something random, all public ssh keys and ssl certs |
| | 46 | recorded in the database are flushed and then randomly regenerated |
| | 47 | as in a new account. |
| | 48 | |
| | 49 | student accounts may not join other projects. |
| | 50 | |
| | 51 | A student may be taking more than one course and only have |
| | 52 | one (student) email address; we added a couple of warts to deal |
| | 53 | with this - |
| | 54 | |
| | 55 | There is an ancillary table in the database called email_aliases; |
| | 56 | and when the account is assigned the .forward is set to this |
| | 57 | and the students email becomes e.g. sc558ab@users.isi.deterlab.net |
| | 58 | |
| | 59 | So, for all users, students or not, we require web login by uid only |
| | 60 | and not email address. |
