HPC | Lab Member Access

NDCLab / lab-devOps

NDCLab mgmt and operations

GNU Affero General Public License v3.0

0 stars 0 forks source link

HPC | Lab Member Access #219

Closed jessb0t closed 1 year ago

jessb0t commented 1 year ago

Script that can be used to grant new lab member read-only access to all analysis and tool projects, plus to all dataset projects with the exception of sourcedata and derivatives
Script that can be used to grant new project team member with read-only access to sourcedata and derivatives, and user-specified write access
Script that can be used to grant project lead full read/write access (this may already exist).
Script to remove a user from all lab repos.
Script to allow auditability (all users in group and their permissions).

davhunt commented 1 year ago

I added some scripts! So, in scripts/compl,

onboard-new.sh should do this
I wasn't sure exactly what "user-specified write access" refers to here, or how it'd be implemented, so holding off on this atm.
new-project-lead.sh should do this (includes sourcedata and derivatives)
We already had this in remove.sh
print-permissions.sh should do this with a list of users or projects. And this should generalize/replace what print-membership.sh did so we shouldn't really need that anymore

jessb0t commented 1 year ago

For #2: user can pass any folder name (and user name) to grant read/execute and/or write access

davhunt commented 1 year ago

Added 2. add-custom-permissions.sh to grant read/execute, read/write/execute to specific project subfolders

jessb0t commented 1 year ago

David to look into how to remove all group-level access to all folders (since users do not seem to be removed from the group when removal is requested administratively).

jessb0t commented 1 year ago

Revisions:

group access gives no access
revise #1 in this light: add a user to give read-only access as desired
create script for when a new project is added to the group that grants permissions to existing lab members

jessb0t commented 1 year ago

Test Comments:

onboard-new.sh TBD

new-project-lead.sh TBD

add-custom-permissions.sh TBD

print-permissions.sh TBD

remove.sh 2023-02-23a: Tested this command bash remove.sh {userid} -p /home/data/NDClab/datasets/readAloud-valence-dataset (where {userid} was replaced with an actual id, but I am anonymizing that here). The script appeared to try to remove the user from all datasets, despite my use of the -p flag. 2023-02-23b: I get a setfacl "Operation not permitted" error, implying that I cannot currently run this script.

new-dataset.sh TBD

jessb0t commented 1 year ago

3/27/2023: Pending testing.

jessb0t commented 1 year ago

4/11/2023: Testing complete!