Authorizing Projects and Users
From TeraGrid Wiki
This page describes the procedures by which projects and users are authorized to access TeraGrid resources.
Steps 3-6 need to be reviewed and cleaned up. The extra info in the last section needs to be merged with the other steps.
Step 1: Get Authorization for a Project
- Most projects are authorized after going through the allocations process, via the POPS system. The xRAC process is detailed elsewhere. Start-up allocations are awarded via a lighter-weight DAC process, also initiated through POPS. The formal statement of allocations policies are detailed at the CI-Partnership site.
- Projects can also be authorized for TeraGrid staff work. Policy TG-6 describes how staff can make such requests.
- RP and GIG management have the option of authorizing discretionary projects to be made to research groups outside of the normal allocations process. This is not common and, in general, researchers should be directed to the allocations process. However, RP/GIG management can send such requests directly to the allocations staff. This draft TG policy considered but decided against creating discretionary projects on a regular basis.
Step 2: Ensure Resources are in TGCDB
While it is recommended that RPs provide data to add a resource to TGCDB at the same time they are added to the POPS system for allocation, these are actually two distinct steps. To permit projects and users to be authorized on a resource, RPs should confirm with the accounting-wg that a resource has been set up properly. Instructions are on the TeraGrid_Compute_Resources page.
Step 3: Creating Authorized Project
Step 3.a) A new project is created for this award in the TGCDB. The NCSA database is the master, and all changes must go through it. < The content, schema, format and availability of a Project Record is not clear to me>
Step 3.b) A match is searched for between the PI information from this proposal and the set of previously known TeraGrid users. The NCSA allocation group member checks against data already in the NCSA database. They may also have to check information on the web or send an e-mail to the proposer. This is a manual process.
Step 3.b.1) If a match is found, the project is associated with the existing User Record as the PI. Any information from the proposal is used to update the information in the User Record. <The content, schema, format and availability of the User Record is not clear to me>
Step 3.b.2) If a match is not found, a new User Record is created and linked to the project as PI.
Step 3.c) The association between project number and user record is sent by AMIE to each RP site for provisioning.
- Initiator: Allocations group
- Involved Parties: PI, allocations group
- Result: A TeraGrid project with the awarded allocation associated
- Result holder: TeraGrid Accounting staff
Step 4: Authorizing Users on a Project
Step 4.a) PI or designate completes TG Add User Form transaction for each additional user to be part of project. The transaction sends an e-mail to the NCSA Allocations e-mail alias. NCSA allocation group member disburses requests to allocation group member at PSC or SDSC via ticket system if required. Allocations group vets requests and add into the NCSA DB if not already there.
Step 4.b.1) For all resources/services for which a match is found, no account creation request is issued.
Step 4.b.2) For all resources/services for which a match is not found, an account creation request is issued to the service/resource provider. A confirmation e-mail is sent by the allocation group to the user and PI letting them know that a form will be sent in five days. Five days later, a form is sent to the user with default PW received from each site via e-mail to the allocations group. Done by the NCSA admin at NCSA, and by another person at each of the other sites.
Step 4.c) Service/resource providers return the local account information for the accounts created to the TGCDB. Each project has a record in the NCSA DB, and each project has a list of people that are on the project. Changes to NCSA DB are pushed out to systems by a script (valdeval) several times a day.
Step 4.d) The User Record (and/or Project Record) in the TGCDB is updated with the local account information. The TGCDB is updated by AMIE once a day.
< It is not clear to me whether this includes ALL information (including passwords) or whether there are subsequest steps for other pieces of information. This is perhaps documented in the AMIE protocols somewhere.>
- Initiator: TeraGrid allocations group
- Involved Parties: PI, allocations group, TG accounting staff
- Result: The current set of provisioning information is associated with the project in TGCDB.
- Result holder: TG accounting group
Step 5: The authorized services are enabled.
Step 5.a) The relevant User Record and authorizations are sent to the appropriate set of service providers by AMIE.
< I do not understand in detail how this is done. >
Step 5.a) User Portal account is enabled.
Step 5.b) Compute Services are made available when the "valdeval" script runs at NCSA, and similar scripts run at the other RP sites. The scripts transfer required account information from the NCSA DB to the systems that will be running researchers jobs.
Step 5.c) Storage Services - Varies by site. At SDSC and NCSA, anyone who receives a TG account also receives a storage account.
- Initiator: TG allocations group
- Involved Parties: allocations group, end user, service and RP admins
- Result: A set of provisioned services ready for the end user access
- Result holder: TeraGrid Service Providers
Step 6: The "welcome packet" for the user is generated and sent.
Step 6.a) The passwords to be sent to the user are collected and printed five days after intial account creation.
Step 6.b) The new user introductory materials are printed.
Step 6.c) The packet is sent to the PI for distribution to the end user.
Step 6.d) The PI sends the packet to the user.
- Initiator: TG allocations group
- Involved Parties: PI, allocations group, end user, documentation staff (new user info), RP admins
- Result: A packet of user account information
- Result holder: End user
Step 7. Begin Accounting
Once authorization procedures have been completed, the users can access TeraGrid resources and the accounting process takes over.
Extra info from another Wiki Page
This info needs to be merged with the steps above.
When a POPS proposal is reviewed and awarded, the award amounts are entered into POPS, then the central allocations staff at NCSA begins the process of setting up the allocation on TeraGrid resources. An NCSA allocations group member enters the allocations into an NCSA database for all TG resources. The NCSA database feeds the information to the TGCDB which triggers notifications to the other sites.
As needed, the award either creates a new project in the TGCDB or creates a renewal allocation on an existing project. For a new award, a match is searched for between the PI information from this proposal and the set of previously known TeraGrid users. The NCSA allocation group member checks against data already in the NCSA database. They may also have to check information on the web or send an e-mail to the proposer. This is a manual process. If a match is found, the project is associated with the existing person. Information from the proposal is used to update the information in the User Record. If a match is not found, a new User Record is created and linked to the project as PI.
The association between project number, PI, resource, and allocation amount is sent from TGCDB via AMIE packets to each relevant RP site for provisioning. For new PIs, this will include establishing logins on the relevant resources.
(The central allocations staff also initiates requests to add supplements to or make advances on allocations, make transfers between resources and extend the end dates of allocations upon PI requests initiated via POPS or via email. These requests are sent from NCSA to the TGCDB which in turn relays the requests to RPs.)
A similar procedure is followed by the allocations staff for any co-PIs in the POPS proposal.
Other users are added to projects via the Add User form in the TeraGrid User Portal. (The form can also be used to remove a user from a project.) The TGUP form emails a request to the allocations staff, who process it in much the same way as with PIs and co-PIs.
When a request to create a new person/login is initiated, NCSA creates the user's TeraGrid-wide (portal) login and password. The allocation staff waits five business days to hear from all other RPs to which login requests were sent for the user. The RPs send back the local username and password (if applicable) via encrypted email. The NCSA allocation staff assembles the New User Packet for postal mail, which includes the TeraGrid User Responsibility Form. Policy related to this form is at this Wiki page.