Jetstream system accounts

[craig-willis]

We've been exploring options for controlling access to data stored in Swift on Jetstream. The solution suggested by Jetstream support is for the PI to request additional shared management accounts. We'll need two different accounts: one with read-only and one with read-write access to Swift. This will allow us to configure these system users in the WT software instead of using personal accounts, which are effectively admins.

Tasks:

• [ ] Create both accounts, but don't add to OpenStack project
• [ ] Confirm Swift ACL support

[craig-willis]

Update from Jetstream team

So I did some more chatting with folks here at Jetstream. • ACL's are available, BUT because we use Keystone-auth for connectivity with XSEDE, and keystone only recognizes tenants (which are currently tied to XSEDE Projects, not users), then you can't assign a per-user ACL. Essentially you can change between READ-Only and READ-WRITE per tenant/project, but you CANNOT have one user with Read/Write and another with Read-Only.

*** Potential work-arounds: • 1) Get a second allocation (as that could have different permissions) • 2) use s3 instead of swift. You can then generate AWS style credentials which will be honored by the object store but not compute since currently EC2 isn't running. (This would only need 1 shared admin account ) • 3) You can use something like "TEMPURL" ( https://www.swiftstack.com/docs/admin/middleware/tempurl.html ) with a really long timeout period. (This also would only need 1 shared admin account )

We realize you're trying to be a good user here, but the limits of operating inside a communal shared XSEDE allocation system put certain restrictions on us.