1. Home
  2. Managing Projects and Users
  3. FABRIC User Roles and Project Permissions

FABRIC User Roles and Project Permissions

Overview

FABRIC is open for use to a broad crossection of the researcher community. The resources offered by FABRIC to the experimenters are unique and powerful and require a system of controls to ensure no misuse occurs, and resources are used by the community fairly both for education and research. In order to address this problem FABRIC relies on two mechanisms that work in concert with each other:

  1. Per-project permissions
  2. Experimenter roles

The smallest granularity of control in FABRIC is a project. Each experimenter belongs to one or more projects and the permissions granted to the project by FABRIC staff determine what the members of the project can do with respect to FABRIC resources.

All members of the same project have identical rights with respect to access to FABRIC resources. Users that do not belong to any projects have no rights with respect to using FABRIC resources – they cannot create slices.

When creating slices on FABRIC experimenters must identify which project they are using – the permissions of that project determine what resources can be added to the slice.

Projects are created by experimenters granted the role of a Project Lead. Once the project is created it can be assigned one or more additional Project Owners (the Project Lead who created the project automatically becomes the first owner). Project Lead and Project Owners control the membership of the project – can add and remove Project Members to/from the project. Project Members have no special rights to manage projects, but they inherit the permissions granted to their project to use FABRIC resources.

Changing roles: Becoming Project Lead or Project Owner and creating projects

The role of the Project Lead can only be granted to an experimenter who has successfully enrolled in the FABRIC Portal (see Quick Start Guide for more information).

To become a Project Lead, navigate to the User Profile tab in FABRIC menu, click on My Roles and Projects and then click ‘Request to be Project Lead’ button as shown in example image below:

A popup with a stern message reproduced below will be shown:

Project Lead message (click to expand)

Clicking on ‘Request’ button will walk you through an enrollment workflow. The workflow will walk you through additional questions and will submit your request for human-in-the-loop verification. You will be notified by email of the decision. If your request is granted you will see a green check mark in the Global Roles section of your Profile.

A Project Lead can create new projects by clicking on ‘Create Project’ button in the Projects section of the Portal, as shown:

You become a Project Owner, when another Project Owner (could be the Project Lead that created the project) adds you as an owner to their project. Project Owners (and regular Project Members) can be added to the project at the time of its creation as shown or they can be added later by visiting the list of projects.

Only those already enrolled in the FABRIC portal can be added to the project as owners or members. Note this includes following through with the entire enrollment workflow which includes logging into the portal for the first time once the enrollment has been approved.

Be sure to add meaningful information to the project description, as these will be searchable in the portal by default to make it easier for experimenters to join projects they need.

As mentioned above, a Project Owner can add and remove regular Project Members to and from the project. See Quick Start Guide for more information on proceeding from this point.

Project permissions

When a project is created initially, it has very limited rights to FABRIC resources: its members can create slices only with small Virtual Machines that have no specialized components and can only span one site.

To gain additional rights, project tags must be added to the project by FABRIC staff at the request of one of the owners. Each tag unlocks a particular feature of the testbed. Adding permission tags to a project is deliberately a manual process with human-in-the-loop review.

If you try to create a slice that is attempting to use resources or features to which your selected project hasn’t been granted permissions, you will get an error back from the Control Framework indicating with project tag needs to be added to your project for this slice request to succeed.

The table below demonstrates the various tags and the rights they confer:

Project Tag Description of rights
VM.NoLimitCPU Allows to create VMs with more than 2 CPU cores
VM.NoLimitRAM Allows to create VMs with more than 10 GB of RAM
VM.NoLimitDisk Allows to create VMs with more than 10 GB of disk
VM.NoLimit VM.NoLimitCPU | VM.NoLimitRAM | VM.NoLimitDisk
Component.GPU Allows to provision and attach GPU components
Component.FPGA Allows to provision and attach FPGA components
Component.SmartNIC Allows to provision and attach 25G and 100G dedicated SmartNIC components
Component.Storage Allows to create and attach rotating storage
Component.NVME Allows to provision and attach NVME components
Net.NoLimitBW Allows to provision links over 10 Gbps
Net.Peering Allows to create slices with public peering
Net.PortMirroring Allows to create slices that include port mirroring
Slice.Multisite Allows to create slices spanning multiple sites
Slice.Measurements Allows to provision measurement VMs
Slice.NoLimitLifetime Allows to create slices with a lifetime beyond default 2 weeks without the need to renew
FABRIC Project Tags

In addition, there are project tags supporting the use of Facility Ports, with each facility port requiring its own unique tag to be used. They have the form of Net.FacilityPort.XYZ where XYZ is the name of the facility port. There is also a Net.AllFacilityPorts tag that allows the use of any Facility Port by the project.

Managing projects in the real world

This section’s target audience are Project Leads and Project Owners and it covers some DOs and DONTs and best practices in managing your FABRIC projects.

Managing FABRIC projects and their permissions may seem a bit daunting, however you must remember that with the right to create and manage projects on FABRIC comes the responsibility for everyone in those projects for what they do on FABRIC. In the case of malicious misuse of resources by you or members of your projects you and them may lose your access to FABRIC permanently!

So DO:

  1. Request new permissions for your projects judiciously. Evaluate who you think the members of the specific project will be and how much confidence you have in their ability to use the testbed and the requested features appropriately
  2. Create new projects with different levels of permissions as necessary for different groups of your experimenters – it is very cheap

and DON’T:

  1. Bundle together experimenters of vastly different levels of experience and goals into the same project – create separate projects and request different levels of permissions for them to minimize the risk
  2. Keep experimenters as members of your projects if you have lost touch or no longer feel responsible for them – remove them from the projects promptly

Some examples of the situations to which the DOs and DONTs may apply:

You have a complex project that may require a lot of resources from FABRIC. You have a group of inexperienced graduate/undergraduate students and a few experienced post-docs and graduate students working on it. You are tempted to use a single project for everything. Don’t. The best scenario is to create two projects in FABRIC – one for the students with reduced permissions where they can do their assigned work, another for the postdocs with the full set of resources needed to conduct their research.

Remember you can always assign experimenters to multiple projects – if a student proves their ability to work responsibly you can later assign them to the project with more permissions.

You have a research project and you are teaching a class. You already have a project in FABRIC for the research tasks and it has all the permissions (and then some) to teach the class. Don’t be tempted to reuse it. Create a new project with the appropriate set of permissions and add your class students to that project.

You taught a class using a project intentionally created for this class. One semester has ended, another one has begun. Be sure to remove all the students that have finished your class. Don’t leave them with privileges on the testbed beyond the time they actually need to use the testbed. If you have a TA or an RA, give them Project Owner permissions and have them maintain proper membership.

Updated on July 11, 2022

Was this article helpful?

Related Articles

Need Help?
Can't find the answer you're looking for? Search and ask questions in the forum!
Go to FORUM

Leave a Comment