Changes between Version 19 and Version 20 of SPIDocs

Sep 22, 2014 11:17:30 AM (7 years ago)



  • SPIDocs

    v19 v20  
    296296A project also is linked to a [wiki:SPIDocs#Circles circle] named after the project.  A project named `myproject` will have a linked circle `myproject:myproject`.  The system keeps the membership of that circle and the project synchronized.  By assigning rights to that circle, users can assign rights to all project members.
    298 The operations on projects are controlled by the `Projects` [wikiSPIDocs#Services service].
     298The operations on projects are controlled by the `Projects` [wiki:SPIDocs#Services service].
    300300When a researcher joins the testbed by [wiki:SPIDocs#CreatingNewUsers creating a user instance], one of the few operations the testbed will allow them to carry out is to propose a project.  The intended workflow is that a researcher comes to the testbed, joins it by creating a user instance and then gains rights by proposing a project that is approved.  Then that user (and other users to which it delegates rights) can administer access under that project.
    302302==== Project Permissions ====
    304 Any member of a project may have one or more of the following permissions that define the operations that user can carry ont on the project itself.  The permissions are:
     304Any member of a project may have one or more of the following permissions that define the operations that user can carry out on the project itself.  The permissions are:
    306306||= Permission Name =||= Meaning =||
    334334A user with the `REMOVE_USER` permission can unilaterally remove other users from the project by calling the `removeUsers` operation.  The owner of a project cannot be so removed.
    336 ==== Ownership ====
     336==== Project Ownership ====
    338338When a project is created, an owner for that project is designated.  It is generally the user who successfully called `createProject`, though ownership may be designated for projects created by administrators.  The owner's identity may be a factor in project approval, depending on how the testbed is administered.
    340 The owner is given all permissions to a project and these generally cannot be altered.  The owner of a project cannot be removed from the project.
     340The owner controls the contents of the [wiki:SPIDocs#ProjectProfileManagement project profile ] and is the only project member who can remove the project from the system (though administrators can also do that).
    342342The owner (and administrators) can change the owner of a project by calling the `setOwner` operation.
    344 ==== Changing Permissions ====
     344==== Changing Project Permissions ====
    346346A user that has both `ADD_USER` and `REMOVE_USER` permissions to a group can change the permissions granted to a user in the group.  The `changePermissions` operation in the `Projects` service is used to do this.  It takes a projectid, a list of users, and a new set of permissions.  It returns an array of results indicating the outcome of each requested change.
    348 ==== Profile Management ====
     348==== Project Profile Management ====
    350350The `Projects` [wiki:SPIDocs#Services service] supports the operations described in the [wiki:SPIDocs#Profiles profiles] description to allow applications to manipulate project profiles.
    360360These are documented below.
     362=== Circles ===
     364Circles are groups of users used to share the contents of experiments and libraries among users.  One can think of them as lightweight projects of collaborating researchers who are working together on related experiments.
     366The key distinction between the two kinds of user groups is that a project confers access to the testbed resources in the large based on delegation of trust.  A circle confers rights to specific experiments and libraries.  Project membership is a prerequisite to accessing the testbed at all; circle memberships control access to specific abstraction instances inside the testbed.
     368Once the testbed administration has palced their trust in a user through the project abstraction, they are free to collaborate without any further significant administrative oversight through the circles system.
     370Projects and circles are related.  Each project has a linked circle that contains all the users who are members of the project.  The system keeps that circle and project membership synchronized.  One can think of assigning the rights to manipulate experiments and libraries to projects as existing Emulab code does.  Under the covers it is the linked circle that conveys the rights.
     372Whenever a user is created, a circle, [wiki:SPIDocs#CircleNames named] ''userid'':''userid'', is also created containing only that user.  One can use this circle to assign rights to a user and only that user. This circle behaves like all other circles, but may seem special because of the membership and [wiki:SPIDocs#CirclePermissions permissions] assigned to it.  There is only the one member, and that member does not have the rights to modify the circle membership.  The system removes this circle when and if the user is removed.
     374==== Circle Names ====
     376Every circle has a unique ''circleid'' that names it in the testbed.  Circle names are scoped by either userids or projectids.  A circleid has the form of either:
     378 * userid:local_name
     379 * projectid:local_name
     381So there may be circles named `some_user:students` and `some_project:students`.  They are distinct.
     383That scoping serves 2 purposes: disambiguating common names and providing a way to distinguish certain names.  We expect that many users will set up circles with local names like `test`, `students`, `assistants` and the like.  The user interfaces built on the SPI can scope such names by the userid creating them and hide the prefix unless it is necessary to disambiguate.
     385When a user creates a name in scoped by a project name, it is functionally equivalent to a userid-scpoed name, but applications may choose to distinguish them.  One can easily imagine that `some_user:students` and `some_project:students` refer to different sets of users and that the project-prefixed circle is administered more carefully and used more widely.
     386The right to create a circle in a project's name space - prefixed by the projectid - is controlled by [wiki:SPIDocs#ProjectPermissions project permissions].
     388==== Circle Permissions ====
     390Like [wiki:SPIDocs#ProjectPermissions projects], each user in a circle may have one or more of the following permissions that define the operations that user can carry out on the circle itself.  The permissions are:
     392||= Permission Name =||= Meaning =||
     393|| ADD_USER || Request that a user be added to the project or confirm a request by a user to join the project ||
     394|| REALIZE_EXPERIMENT ||Allocate resources to an experiment and carry it out so that it is accessible to the members of this circle ||
     395|| REMOVE_USER || Remove a user from the project.  Any objects they have created in the project's namespace remain ||