-
Notifications
You must be signed in to change notification settings - Fork 4
Ceph permissions
The ICAT investigation users table is populated using information from the User Office SharePoint and Visits System.
Permissions on the Ceph 'RB' directories are set by ICAT proposal ingestion code that runs every hour. The code reads a table in ICAT called 'InvestigationUser' that links users to investigations, this information is then transferred to two destinations: The federal Active Directory and a JSON file called excitations.txt. The following instruments are managed using this system, although it could be extended to include additional instruments:
- IMAT
- LARMOR
- LET
- MAPS
- MARI
- MERLIN
- MUSR
- SANS2D
- WISH
Members of the experiment team are inserted into an Active Directory group named after the experiment RB number. This group has permissions to write and read the contents of the experiment RB folder. There is an additional group for each instrument that contains the instrument scientists who are allowed to write and read all RB folders for their instrument. The Active Directory only sets Access Control List (ACL) permissions. ACL permissions allow a directory to belong to multiple groups, enabling more versatility in which groups can access experiment data.
The Autoreduction user does not acquire permissions through this system, it relies on ISIS compute.
The excitations.txt file is read by a Cron job that also runs every hour, it performs the following tasks:
- Creates local user accounts
- Creates RB directories and sets the GID to the experiment RB number
- Maps Unix users to RB groups
The Autoreduction user is added to every directory group associated with an Autoreduction instrument.