General * There is one course per project. * The project_head is the primary instructor * Anybody with group_root permission is assumed to be a TA 1. Instructors and TA's are allowed to sudo to any student on the ops node Instructors may sudo to a TA but not converseley. 2. Experiment Permissions When an experiment is created in the default group, only the student's home directory and /proj//exp/ are exported to the nodes in the experiment. If the experiment is created in a subgroup of the main project, normal export permissions already isolate students from others (except for those in the group). /proj directory exports are applied as above. The ssh public keys of the instructor and TA's are put into the root .ssh/authorized_keys file so that the instructors can log into any node to grade the experiment (as class exercise) or debug it. 3. Web Interface Instructors and TA's are allowed to Freeze, Thaw and SU as a student and edit a student's profile 4. Recycleable student accounts. Student accounts are not created in the normal manner (create an account, apply to join an existing project) - instead: A stem is chosen for the project, say in the case of the project USC558L, sc558, and then a number of accounts are generated of the form sc558[a-z][a-z] as many are need to accomodate the students in the class. The instructor provides a list of email address, and the one account is assigned per email address. At the end of the semester, the student accounts are wiped - all experiments headed by the student are terminated, all files underneath the students home directory are deleted, the passwords changed to something random, all public ssh keys and ssl certs recorded in the database are flushed and then randomly regenerated as in a new account. student accounts may not join other projects. A student may be taking more than one course and only have one (student) email address; we added a couple of warts to deal with this - There is an ancillary table in the database called email_aliases; and when the account is assigned the .forward is set to this and the students email becomes e.g. sc558ab@users.isi.deterlab.net So, for all users, students or not, we require web login by uid only and not email address.