[dmccune@pppl.gov: TRANSP server/queue policy (2nd message) -- access control]

From: Doug Mccune (dmccune@pppl.gov)
Date: Thu Oct 11 2001 - 15:56:09 PDT

Next message: David P. Schissel: "Meeting During IEEE Vis in San Diego"
Previous message: Doug Mccune: "[dmccune@pppl.gov: "rmonitor" database -- run monitoring]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

------- Start of forwarded message -------
Date: Thu, 11 Oct 2001 18:53:41 -0400 (EDT)
From: Doug Mccune <dmccune@pppl.gov>
To: nfs-workers@apollo.gat.com
Subject: TRANSP server/queue policy (2nd message) -- access control
Reply-to: dmccune@pppl.gov
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII

Hi,

This is my promised 2nd message.

Our access control method of administration is quite simple. We can
add or remove "servers" or "queues", named objects, from the system.
By default, these come into existance without restriction; anybody who
can access TRANSP input data and data prep software can queue a run.
This is the case of the object's "access control list" is empty. If
it not empty, it has the form

(<name>|~<name>)[,(<name>|~<name>),...]

<name> can name users or projects. If one or more <name>s are present,
one must be on the list to have access. ~<name> prohibits access by
the named entity. Thus:

NSTX

means only the NSTX project can use the queue;

EFTHIMION

meahs only physicist EFTHIMION can use the queue;

BUDNY,KAYE,~TFTR

means the queue can be used by physicists BUDNY or KAYE but not for
TFTR (project) runs.

JET,~DMCCUNE

means the queue can be used for JET runs, as long as they are not
requested by DMCCUNE.

(use of the ~ construct is rare, in practice).

Since there are "several" queues, all users get some service. But by
manipulating these access control lists, we can reserve portions of
the service for specific users or projects.

There are other aspects of queues in the legacy TRANSP system, such
as the maximum number of concurrent runs/queue, but... these might not
be relevant for a future system, it will depend on the properties of
PBS or whatever.

Obviously, the above syntax assumes that the intersection of the
set of project names and the set of user names is null. Instead we
might want to have a system where project or "group" names and
usernames are explicitly separated.

Hope this helps..................

--Doug
------- End of forwarded message -------

===============================================================================

This message was sent to the SciDAC National Fusion Collaboratory (NFC)
workers list nfc-workers. Visit the Collaboratory at
<http://www.fusiongrid.org/>.

To unsubscribe from this list, please send a message to
majordomo@fusion.gat.com with the following text in the *body* of the
message: unsubscribe nfc-workers

David P. Schissel: <schissel@fusion.gat.com> <http://fusion.gat.com/~schissel/>

Next message: David P. Schissel: "Meeting During IEEE Vis in San Diego"
Previous message: Doug Mccune: "[dmccune@pppl.gov: "rmonitor" database -- run monitoring]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.1 : Thu Feb 07 2002 - 15:40:41 PST