Changes between Version 19 and Version 20 of SPIDocs


Ignore:
Timestamp:
Sep 22, 2014 11:17:30 AM (10 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SPIDocs

    v19 v20  
    296296A project also is linked to a [wiki:SPIDocs#Circles circle] named after the project.  A project named `myproject` will have a linked circle `myproject:myproject`.  The system keeps the membership of that circle and the project synchronized.  By assigning rights to that circle, users can assign rights to all project members.
    297297
    298 The operations on projects are controlled by the `Projects` [wikiSPIDocs#Services service].
     298The operations on projects are controlled by the `Projects` [wiki:SPIDocs#Services service].
    299299
    300300When a researcher joins the testbed by [wiki:SPIDocs#CreatingNewUsers creating a user instance], one of the few operations the testbed will allow them to carry out is to propose a project.  The intended workflow is that a researcher comes to the testbed, joins it by creating a user instance and then gains rights by proposing a project that is approved.  Then that user (and other users to which it delegates rights) can administer access under that project.
     
    302302==== Project Permissions ====
    303303
    304 Any member of a project may have one or more of the following permissions that define the operations that user can carry ont on the project itself.  The permissions are:
     304Any member of a project may have one or more of the following permissions that define the operations that user can carry out on the project itself.  The permissions are:
    305305
    306306||= Permission Name =||= Meaning =||
     
    334334A user with the `REMOVE_USER` permission can unilaterally remove other users from the project by calling the `removeUsers` operation.  The owner of a project cannot be so removed.
    335335
    336 ==== Ownership ====
     336==== Project Ownership ====
    337337
    338338When a project is created, an owner for that project is designated.  It is generally the user who successfully called `createProject`, though ownership may be designated for projects created by administrators.  The owner's identity may be a factor in project approval, depending on how the testbed is administered.
    339339
    340 The owner is given all permissions to a project and these generally cannot be altered.  The owner of a project cannot be removed from the project.
     340The owner controls the contents of the [wiki:SPIDocs#ProjectProfileManagement project profile ] and is the only project member who can remove the project from the system (though administrators can also do that).
    341341
    342342The owner (and administrators) can change the owner of a project by calling the `setOwner` operation.
    343343
    344 ==== Changing Permissions ====
     344==== Changing Project Permissions ====
    345345
    346346A user that has both `ADD_USER` and `REMOVE_USER` permissions to a group can change the permissions granted to a user in the group.  The `changePermissions` operation in the `Projects` service is used to do this.  It takes a projectid, a list of users, and a new set of permissions.  It returns an array of results indicating the outcome of each requested change.
    347347
    348 ==== Profile Management ====
     348==== Project Profile Management ====
    349349
    350350The `Projects` [wiki:SPIDocs#Services service] supports the operations described in the [wiki:SPIDocs#Profiles profiles] description to allow applications to manipulate project profiles.
     
    359359
    360360These are documented below.
     361
     362=== Circles ===
     363
     364Circles are groups of users used to share the contents of experiments and libraries among users.  One can think of them as lightweight projects of collaborating researchers who are working together on related experiments.
     365
     366The key distinction between the two kinds of user groups is that a project confers access to the testbed resources in the large based on delegation of trust.  A circle confers rights to specific experiments and libraries.  Project membership is a prerequisite to accessing the testbed at all; circle memberships control access to specific abstraction instances inside the testbed.
     367
     368Once the testbed administration has palced their trust in a user through the project abstraction, they are free to collaborate without any further significant administrative oversight through the circles system.
     369
     370Projects and circles are related.  Each project has a linked circle that contains all the users who are members of the project.  The system keeps that circle and project membership synchronized.  One can think of assigning the rights to manipulate experiments and libraries to projects as existing Emulab code does.  Under the covers it is the linked circle that conveys the rights.
     371
     372Whenever a user is created, a circle, [wiki:SPIDocs#CircleNames named] ''userid'':''userid'', is also created containing only that user.  One can use this circle to assign rights to a user and only that user. This circle behaves like all other circles, but may seem special because of the membership and [wiki:SPIDocs#CirclePermissions permissions] assigned to it.  There is only the one member, and that member does not have the rights to modify the circle membership.  The system removes this circle when and if the user is removed.
     373
     374==== Circle Names ====
     375
     376Every circle has a unique ''circleid'' that names it in the testbed.  Circle names are scoped by either userids or projectids.  A circleid has the form of either:
     377
     378 * userid:local_name
     379 * projectid:local_name
     380
     381So there may be circles named `some_user:students` and `some_project:students`.  They are distinct.
     382
     383That scoping serves 2 purposes: disambiguating common names and providing a way to distinguish certain names.  We expect that many users will set up circles with local names like `test`, `students`, `assistants` and the like.  The user interfaces built on the SPI can scope such names by the userid creating them and hide the prefix unless it is necessary to disambiguate.
     384
     385When a user creates a name in scoped by a project name, it is functionally equivalent to a userid-scpoed name, but applications may choose to distinguish them.  One can easily imagine that `some_user:students` and `some_project:students` refer to different sets of users and that the project-prefixed circle is administered more carefully and used more widely.
     386The right to create a circle in a project's name space - prefixed by the projectid - is controlled by [wiki:SPIDocs#ProjectPermissions project permissions].
     387
     388==== Circle Permissions ====
     389
     390Like [wiki:SPIDocs#ProjectPermissions projects], each user in a circle may have one or more of the following permissions that define the operations that user can carry out on the circle itself.  The permissions are:
     391
     392||= Permission Name =||= Meaning =||
     393|| ADD_USER || Request that a user be added to the project or confirm a request by a user to join the project ||
     394|| REALIZE_EXPERIMENT ||Allocate resources to an experiment and carry it out so that it is accessible to the members of this circle ||
     395|| REMOVE_USER || Remove a user from the project.  Any objects they have created in the project's namespace remain ||