diff --git a/docs/data_management/lts/images/top-level-lts-permissions.png b/docs/data_management/lts/images/top-level-lts-permissions.png new file mode 100644 index 00000000..fc2b281f Binary files /dev/null and b/docs/data_management/lts/images/top-level-lts-permissions.png differ diff --git a/docs/data_management/lts/top_level_lts_permission.md b/docs/data_management/lts/top_level_lts_permission.md new file mode 100644 index 00000000..3714384d --- /dev/null +++ b/docs/data_management/lts/top_level_lts_permission.md @@ -0,0 +1,51 @@ + +# A Model for Top-level LTS Permissions + +Understanding top-level access rights for Long-Term Storage (LTS) spaces is essential for effective data management and security. This section aims to clarify common misconceptions regarding access rights and provide a model for navigating these complexities. It will outline the relationships between allocations and keys, as well as the responsibilities of stewards who manage these permissions. By understanding these concepts, we can enhance our ability to protect sensitive data and create an efficient data management environment. + +## Key Components + +- **Allocation**: An allocation represents a designated storage space with a unique name. +Attributes: +Name: Identifies the allocation. +Keys: Associated with the allocation, providing access control. +- **Keys**: Keys are the credentials that grant access to an allocation. There are two types of keys: + + - Access Key: The public identifier used to access the allocation, similar to a username. + - Secret Key: The private password-like credential that must be kept confidential. + +Each pair of keys (access + secret) should only be known by one person. This is critical for maintaining security and preventing unauthorized access. + +- **Stewards**: Stewards are individuals responsible for managing an allocation. Stewards need a full access key pair to perform tasks like creating, deleting, and maintaining buckets. Each steward must maintain separate key pairs for their allocations and any lab/Core allocations they manage. + +## Adding a Steward to a Lab/Core Allocation + +In LTS, lab members can be granted access via [policy](policies.md). However, policies do not provide permissions to perform the following actions: + +- Create buckets +- Delete buckets +- Rename buckets + +To perform these actions, a steward must be assigned full access and provided with a complete set of access and secret keys for the allocation. When a steward is added to a lab/Core allocation, they receive full access keys to manage the allocation's buckets, including the ability to create, delete, rename, and maintain them, with a unique key set specific to that allocation. + +To better understand top-level LTS permissions, the relationships between allocations, keys, the steward role and access rights can be visualized as follows. + +![generic model for top-level LTS Permissions](./images/top-level-lts-permissions.png) + +### Understanding Permissions and Responsibilities + +**Steward Responsibilities**: + +- Stewards can create, delete, and manage buckets but must maintain the secrecy of their secret keys. +- Understanding which key pairs correspond to which allocations is crucial for effective management. + +**Key Handling, Distribution and Ownership**: + +- Stewards will have distinct key pairs for: + - Individual Allocation: Specific to the steward’s personal allocation. + - Lab/Core Allocations: Unique key pairs for each lab/Core allocation they manage. +- Keys should be treated as sensitive information. Only one individual should know a key pair. +- Each key pair corresponds to a specific allocation, ensuring that access rights are clearly defined. +- Mismanagement of keys can lead to unauthorized access and potential data loss. + +It is the responsibility of the steward to manage multiple key pairs, ensuring that they use the correct pair for each allocation and keeping all secret keys. diff --git a/mkdocs.yml b/mkdocs.yml index 53b1ac8e..fb2dbe11 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -3,186 +3,187 @@ repo_url: https://github.com/uabrc/uabrc.github.io/ edit_uri: edit/main/docs/ theme: - name: material - search_index_only: true - custom_dir: theme - language: en - features: - - navigation.indexes - - navigation.instant - - content.code.copy - favicon: images/favicon.png - logo: images/logo.png + name: material + search_index_only: true + custom_dir: theme + language: en + features: + - navigation.indexes + - navigation.instant + - content.code.copy + favicon: images/favicon.png + logo: images/logo.png extra_css: - - stylesheets/extra.css + - stylesheets/extra.css extra_javascript: - - javascripts/mathjax.js - - https://polyfill.io/v3/polyfill.min.js?features=es6 - - https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js + - javascripts/mathjax.js + - https://polyfill.io/v3/polyfill.min.js?features=es6 + - https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js copyright: Copyright © 2021-2024 The University of Alabama at Birmingham.
Still stuck after reading? Email us at support@listserv.uab.edu markdown_extensions: - - admonition - - attr_list - - md_in_html - - pymdownx.arithmatex: - generic: true - - pymdownx.details - - pymdownx.highlight: - anchor_linenums: true - - pymdownx.keys - - pymdownx.superfences - - tables - - toc: - permalink: true + - admonition + - attr_list + - md_in_html + - pymdownx.arithmatex: + generic: true + - pymdownx.details + - pymdownx.highlight: + anchor_linenums: true + - pymdownx.keys + - pymdownx.superfences + - tables + - toc: + permalink: true plugins: - - search - - table-reader: - data_path: docs - - git-revision-date-localized: - type: date - strict: false - - glightbox: - # auto_caption: true - - redirects: - redirect_maps: - account_management/gitlab_researcher.md: account_management/gitlab_account.md - account_management/uab_researcher.md: account_management/cheaha_account.md - account_management/xias_guest.md: account_management/xias/guest_instructions.md - account_management/xias_sites.md: account_management/xias/pi_site_management.md - account_management/xias_users.md: account_management/xias/pi_guest_management.md - cheaha/conda.md: cheaha/software/software.md#anaconda-on-cheaha - cheaha/lmod.md: cheaha/software/modules.md - cheaha/slurm/sbatch_usage.md: cheaha/slurm/submitting_jobs.md - contributor_guide.md: contributing/contributor_guide.md - data_management/LTS/lts.md: data_management/lts/index.md - data_management/LTS/sharing.md: data_management/lts/policies.md - data_management/lts/lts.md: data_management/lts/index.md - data_management/lts/sharing.md: data_management/lts/policies.md - environment_management/anaconda_environments.md: workflow_solutions/using_anaconda.md - environment_management/containers.md: workflow_solutions/getting_containers.md - environment_management/git.md: workflow_solutions/git_collaboration.md - uab_cloud/cloud_remote_access.md: uab_cloud/remote_access.md - uab_cloud/instance_setup_basic.md: uab_cloud/tutorial/instances.md - uab_cloud/introduction.md: uab_cloud/index.md - uab_cloud/network_setup_basic.md: uab_cloud/tutorial/networks.md - uab_cloud/security_setup_basic.md: uab_cloud/tutorial/security.md - uab_cloud/volume_setup_basic.md: uab_cloud/tutorial/volumes.md - welcome/rc_days.md: education/research_computing_days/index.md - welcome/welcome.md: index.md - workflow_solutions/getting_software_with_git.md: workflow_solutions/git_collaboration.md - cheaha/open_ondemand/ood_main.md: cheaha/open_ondemand/ood_layout.md - cheaha/open_ondemand/ood_files.md: cheaha/open_ondemand/ood_layout.md - cheaha/open_ondemand/ood_jobs.md: cheaha/open_ondemand/ood_layout.md - cheaha/open_ondemand/ood_interactive.md: cheaha/open_ondemand/index.md + - search + - table-reader: + data_path: docs + - git-revision-date-localized: + type: date + strict: false + - glightbox: + # auto_caption: true + - redirects: + redirect_maps: + account_management/gitlab_researcher.md: account_management/gitlab_account.md + account_management/uab_researcher.md: account_management/cheaha_account.md + account_management/xias_guest.md: account_management/xias/guest_instructions.md + account_management/xias_sites.md: account_management/xias/pi_site_management.md + account_management/xias_users.md: account_management/xias/pi_guest_management.md + cheaha/conda.md: cheaha/software/software.md#anaconda-on-cheaha + cheaha/lmod.md: cheaha/software/modules.md + cheaha/slurm/sbatch_usage.md: cheaha/slurm/submitting_jobs.md + contributor_guide.md: contributing/contributor_guide.md + data_management/LTS/lts.md: data_management/lts/index.md + data_management/LTS/sharing.md: data_management/lts/policies.md + data_management/lts/lts.md: data_management/lts/index.md + data_management/lts/sharing.md: data_management/lts/policies.md + environment_management/anaconda_environments.md: workflow_solutions/using_anaconda.md + environment_management/containers.md: workflow_solutions/getting_containers.md + environment_management/git.md: workflow_solutions/git_collaboration.md + uab_cloud/cloud_remote_access.md: uab_cloud/remote_access.md + uab_cloud/instance_setup_basic.md: uab_cloud/tutorial/instances.md + uab_cloud/introduction.md: uab_cloud/index.md + uab_cloud/network_setup_basic.md: uab_cloud/tutorial/networks.md + uab_cloud/security_setup_basic.md: uab_cloud/tutorial/security.md + uab_cloud/volume_setup_basic.md: uab_cloud/tutorial/volumes.md + welcome/rc_days.md: education/research_computing_days/index.md + welcome/welcome.md: index.md + workflow_solutions/getting_software_with_git.md: workflow_solutions/git_collaboration.md + cheaha/open_ondemand/ood_main.md: cheaha/open_ondemand/ood_layout.md + cheaha/open_ondemand/ood_files.md: cheaha/open_ondemand/ood_layout.md + cheaha/open_ondemand/ood_jobs.md: cheaha/open_ondemand/ood_layout.md + cheaha/open_ondemand/ood_interactive.md: cheaha/open_ondemand/index.md nav: - - Home: index.md - - Account Management: - - account_management/index.md - - Cheaha Account: account_management/cheaha_account.md - - External Collaborator Accounts (XIAS): - - account_management/xias/index.md - - "For PIs - (1) Managing Projects & Sites": account_management/xias/pi_site_management.md - - "For PIs - (2) Managing Guests": account_management/xias/pi_guest_management.md - - "For Guests - Account Creation": account_management/xias/guest_instructions.md - - Gitlab Account: account_management/gitlab_account.md - - Data Management: - - Cheaha Storage: data_management/storage.md - - Storage Alternatives: data_management/alternate_storage.md - - Long Term Storage: - - data_management/lts/index.md - - Tutorial: - - data_management/lts/tutorial/index.md - - LTS and s3cmd Workflow: data_management/lts/tutorial/individual_lts_tutorial.md - - Interfacing with LTS: data_management/lts/interfaces.md - - Bucket Permissions: data_management/lts/policies.md - - UAB Core Accounts: data_management/lts/lts_cores.md - - FAQ: data_management/lts/lts_faq.md - - Transfer: - - Globus: data_management/transfer/globus.md - - RClone: data_management/transfer/rclone.md - - FileZilla: data_management/transfer/filezilla.md - - Code Storage: data_management/code_storage.md - - Workflow Solutions: - - Using the Shell: workflow_solutions/shell.md - - Using Anaconda: workflow_solutions/using_anaconda.md - - Using Workflow Managers: workflow_solutions/using_workflow_managers.md - - Using Git: workflow_solutions/git.md - - R Projects and Environments: workflow_solutions/r_environments.md - - Software Containers: workflow_solutions/getting_containers.md - - Software Collaboration with GitHub and GitLab: workflow_solutions/git_collaboration.md - - Cheaha Guide: - - Getting Started: cheaha/getting_started.md - - Tutorials: - - cheaha/tutorial/index.md - - Anaconda Environment Tutorial: cheaha/tutorial/pytorch_tensorflow.md - - Cheaha Web Portal: - - cheaha/open_ondemand/index.md - - Using the Web Portal: cheaha/open_ondemand/ood_layout.md - - HPC Desktop: cheaha/open_ondemand/hpc_desktop.md - - Jupyter: cheaha/open_ondemand/ood_jupyter.md - - RStudio: cheaha/open_ondemand/ood_rstudio.md - - MATLAB: cheaha/open_ondemand/ood_matlab.md - - Hardware: cheaha/hardware.md - - Software: - - Pre-installed Modules: cheaha/software/modules.md - - Self-Installed Software: cheaha/software/software.md - - SLURM: - - Introduction: cheaha/slurm/introduction.md - - Slurm Tutorial: cheaha/slurm/slurm_tutorial.md - - Submitting Jobs: cheaha/slurm/submitting_jobs.md - - Practical Batch Array Jobs: cheaha/slurm/practical_sbatch.md - - Managing Jobs: cheaha/slurm/job_management.md - - GPUs: cheaha/slurm/gpu.md - - Job Efficiency: cheaha/job_efficiency.md - - UAB Cloud (cloud.rc) Guide: - - uab_cloud/index.md - - Tutorial: - - uab_cloud/tutorial/index.md - - (1) Networks: uab_cloud/tutorial/networks.md - - (2) Security Policies: uab_cloud/tutorial/security.md - - (3) Instances: uab_cloud/tutorial/instances.md - - (4) Volumes (optional): uab_cloud/tutorial/volumes.md - - Remote Access: uab_cloud/remote_access.md - - Installing Software: uab_cloud/installing_software.md - - Snapshots and Images: uab_cloud/snapshots.md - - Sharing Cloud Environment: uab_cloud/sharing_cloud_environment.md - - UAB Kubernetes Guide: - - Startup: kubernetes/startup.md - - National Research Computing Cyberinfrastructure: - - national_ci/index.md - - The Open Science Grid: national_ci/osg.md - - NSF Cyberinfrastructure: national_ci/nsf_access.md - - NIH Cyberinfrastructure: national_ci/nih.md - - Grants & Contracts: - - RC Facilities Description: grants/facilities.md - - Acknowlding Us in Publications: grants/publications.md - - Funding Opportunities: grants/opportunities.md - - Outreach & Training: - - Case Studies: education/case_studies.md - - Research Computing Days: - - education/research_computing_days/index.md - - Offered Courses: education/courses.md - - Training Resources: education/training_resources.md - - Policies: policies.md - - Reporting Documentation Errors: contributing/reporting_errors.md - - Contributing Content: contributing/contributor_guide.md - - Help: - - Support: help/support.md - - FAQ - Frequently Asked Questions: help/faq.md + - Home: index.md + - Account Management: + - account_management/index.md + - Cheaha Account: account_management/cheaha_account.md + - External Collaborator Accounts (XIAS): + - account_management/xias/index.md + - "For PIs - (1) Managing Projects & Sites": account_management/xias/pi_site_management.md + - "For PIs - (2) Managing Guests": account_management/xias/pi_guest_management.md + - "For Guests - Account Creation": account_management/xias/guest_instructions.md + - Gitlab Account: account_management/gitlab_account.md + - Data Management: + - Cheaha Storage: data_management/storage.md + - Storage Alternatives: data_management/alternate_storage.md + - Long Term Storage: + - data_management/lts/index.md + - Tutorial: + - data_management/lts/tutorial/index.md + - LTS and s3cmd Workflow: data_management/lts/tutorial/individual_lts_tutorial.md + - Interfacing with LTS: data_management/lts/interfaces.md + - Bucket Permissions: data_management/lts/policies.md + - UAB Core Accounts: data_management/lts/lts_cores.md + - Top-level LTS Permissions: data_management/lts/top_level_lts_permission.md + - FAQ: data_management/lts/lts_faq.md + - Transfer: + - Globus: data_management/transfer/globus.md + - RClone: data_management/transfer/rclone.md + - FileZilla: data_management/transfer/filezilla.md + - Code Storage: data_management/code_storage.md + - Workflow Solutions: + - Using the Shell: workflow_solutions/shell.md + - Using Anaconda: workflow_solutions/using_anaconda.md + - Using Workflow Managers: workflow_solutions/using_workflow_managers.md + - Using Git: workflow_solutions/git.md + - R Projects and Environments: workflow_solutions/r_environments.md + - Software Containers: workflow_solutions/getting_containers.md + - Software Collaboration with GitHub and GitLab: workflow_solutions/git_collaboration.md + - Cheaha Guide: + - Getting Started: cheaha/getting_started.md + - Tutorials: + - cheaha/tutorial/index.md + - Anaconda Environment Tutorial: cheaha/tutorial/pytorch_tensorflow.md + - Cheaha Web Portal: + - cheaha/open_ondemand/index.md + - Using the Web Portal: cheaha/open_ondemand/ood_layout.md + - HPC Desktop: cheaha/open_ondemand/hpc_desktop.md + - Jupyter: cheaha/open_ondemand/ood_jupyter.md + - RStudio: cheaha/open_ondemand/ood_rstudio.md + - MATLAB: cheaha/open_ondemand/ood_matlab.md + - Hardware: cheaha/hardware.md + - Software: + - Pre-installed Modules: cheaha/software/modules.md + - Self-Installed Software: cheaha/software/software.md + - SLURM: + - Introduction: cheaha/slurm/introduction.md + - Slurm Tutorial: cheaha/slurm/slurm_tutorial.md + - Submitting Jobs: cheaha/slurm/submitting_jobs.md + - Practical Batch Array Jobs: cheaha/slurm/practical_sbatch.md + - Managing Jobs: cheaha/slurm/job_management.md + - GPUs: cheaha/slurm/gpu.md + - Job Efficiency: cheaha/job_efficiency.md + - UAB Cloud (cloud.rc) Guide: + - uab_cloud/index.md + - Tutorial: + - uab_cloud/tutorial/index.md + - (1) Networks: uab_cloud/tutorial/networks.md + - (2) Security Policies: uab_cloud/tutorial/security.md + - (3) Instances: uab_cloud/tutorial/instances.md + - (4) Volumes (optional): uab_cloud/tutorial/volumes.md + - Remote Access: uab_cloud/remote_access.md + - Installing Software: uab_cloud/installing_software.md + - Snapshots and Images: uab_cloud/snapshots.md + - Sharing Cloud Environment: uab_cloud/sharing_cloud_environment.md + - UAB Kubernetes Guide: + - Startup: kubernetes/startup.md + - National Research Computing Cyberinfrastructure: + - national_ci/index.md + - The Open Science Grid: national_ci/osg.md + - NSF Cyberinfrastructure: national_ci/nsf_access.md + - NIH Cyberinfrastructure: national_ci/nih.md + - Grants & Contracts: + - RC Facilities Description: grants/facilities.md + - Acknowlding Us in Publications: grants/publications.md + - Funding Opportunities: grants/opportunities.md + - Outreach & Training: + - Case Studies: education/case_studies.md + - Research Computing Days: + - education/research_computing_days/index.md + - Offered Courses: education/courses.md + - Training Resources: education/training_resources.md + - Policies: policies.md + - Reporting Documentation Errors: contributing/reporting_errors.md + - Contributing Content: contributing/contributor_guide.md + - Help: + - Support: help/support.md + - FAQ - Frequently Asked Questions: help/faq.md validation: - nav: - omitted_files: warn - not_found: warn - absolute_links: warn - links: - not_found: warn - anchors: warn - absolute_links: warn - unrecognized_links: warn + nav: + omitted_files: warn + not_found: warn + absolute_links: warn + links: + not_found: warn + anchors: warn + absolute_links: warn + unrecognized_links: warn