Overview
FABRIC is open for use to a broad crossection of the researcher community. The resources offered by FABRIC to the experimenters are unique and powerful and require a system of controls to ensure no misuse occurs, and resources are used by the community fairly both for education and research. In order to address this problem FABRIC relies on two mechanisms that work in concert with each other:
- Per-project permissions
- Experimenter roles
The smallest granularity of control in FABRIC is a project. Each experimenter belongs to one or more projects and the permissions granted to the project by FABRIC staff determine what the members of the project can do with respect to FABRIC resources.
All members of the same project have identical rights with respect to access to FABRIC resources. Users that do not belong to any projects have no rights with respect to using FABRIC resources – they cannot create slices.
When creating slices on FABRIC experimenters must identify which project they are using – the permissions of that project determine what resources can be added to the slice.
Projects are created by experimenters granted the role of a Project Lead. Once the project is created it can be assigned one or more additional Project Owners (the Project Lead who created the project automatically becomes the first owner). Project Lead and Project Owners control the membership of the project – can add and remove Project Members to/from the project. Project Members have no special rights to manage projects, but they inherit the permissions granted to their project to use FABRIC resources.
Changing roles: Becoming Project Lead or Project Owner and creating projects
The role of the Project Lead can only be granted to an experimenter who has successfully enrolled in the FABRIC Portal (see Quick Start Guide for more information).
Becoming a Project Lead is an important responsibility, not granted automatically. There is a human-in-the-loop review process for each Project Lead request. Please read the Project Lead Policy to make sure you qualify.
To become a Project Lead, navigate to the User Profile tab in FABRIC menu, click on My Roles and Projects and then click ‘Request to be Project Lead’ button as shown in example image below:
This will lead you to a Project Lead Request form in the FABRIC Help Portal. Please fill in the appropriate fields, especially paying attention to the email address you supply in the form – it must be the same email you used to sign up to the FABRIC Portal. If FABRIC Staff have any questions about your request you will receive them in the form of an email at the address you indicate in the form:
You will be notified by email of the decision. If your request is granted you will see a green check mark in the Global Roles section of your Profile next to the Project Lead permission.
A Project Lead can create new projects by clicking on ‘Create Project’ button in the Projects section of the Portal, as shown:
You become a Project Owner, when another Project Owner (could be the Project Lead that created the project) adds you as an owner to their project. Project Owners (and regular Project Members) can be added to the project at the time of its creation as shown or they can be added later by visiting the list of projects.
Only those already enrolled in the FABRIC portal can be added to the project as owners or members. Note this includes following through with the entire enrollment workflow which includes logging into the portal for the first time once the enrollment has been approved.
Be sure to add meaningful information to the project description, as these will be searchable in the portal by default to make it easier for experimenters to join projects they need.
As mentioned above, a Project Owner can add and remove regular Project Members to and from the project. See Quick Start Guide for more information on proceeding from this point.
Project permissions
When a project is created initially, it has very limited rights to FABRIC resources: its members can create slices only with small Virtual Machines that have no specialized components and can only span one site.
To gain additional rights, project tags must be added to the project by FABRIC staff at the request of one of the owners. Each tag unlocks a particular feature of the testbed. Adding permission tags to a project is deliberately a manual process with human-in-the-loop review.
If you try to create a slice that is attempting to use resources or features to which your selected project hasn’t been granted permissions, you will get an error back from the Control Framework indicating with project tag needs to be added to your project for this slice request to succeed.
The table below demonstrates the various tags and the rights they confer:
| Project Tag | Description of rights |
| VM.NoLimitCPU | Allows to create VMs with more than 2 CPU cores |
| VM.NoLimitRAM | Allows to create VMs with more than 10 GB of RAM |
| VM.NoLimitDisk | Allows to create VMs with more than 10 GB of disk |
| VM.NoLimit | VM.NoLimitCPU | VM.NoLimitRAM | VM.NoLimitDisk |
| Component.GPU | Allows to provision and attach GPU components |
| Component.FPGA | Allows to provision and attach FPGA components |
| Component.SmartNIC | Allows to provision and attach 25G and 100G dedicated SmartNIC components |
| Component.Storage | Allows to create and attach persistent rotating storage |
| Component.NVME | Allows to provision and attach NVME components |
| Net.NoLimitBW | Allows to provision links over 10 Gbps |
| Net.FABNetv4Ext | Allows to create slices with public IPv4 connectivity |
| Net.FABNetv6Ext | Allows to create slices with public IPv6 connectivity |
| Net.PortMirroring | Allows to create slices that include port mirroring |
| Slice.Multisite | Allows to create slices spanning multiple sites |
| Slice.NoLimitLifetime | Allows to create slices with a lifetime up to 6 months without renewal. |
In addition, there are project tags supporting the use of Facility Ports, with each facility port requiring its own unique tag to be used. They have the form of Net.FacilityPort.XYZ where XYZ is the name of the facility port. There is also a Net.AllFacilityPorts tag that allows the use of any Facility Port by the project.
Project permissions can be requested from the project information page in FABRIC portal by Project Owners.
Managing projects in the real world
This section’s target audience are Project Leads and Project Owners and it covers some DOs and DONTs and best practices in managing your FABRIC projects.
Managing FABRIC projects and their permissions may seem daunting, however it’s crucial to recognize that along with the privilege of creating and managing projects on FABRIC, there also comes the accountability for the actions of everyone involved in those projects. If you or any members of your projects engage in malicious misuse of resources in FABRIC, both you and them may face permanent loss of access to the platform.
So DO:
- Request new permissions for your projects judiciously. Evaluate who you think the members of the specific project will be and how much confidence you have in their ability to use the testbed and the requested features appropriately
- Create new projects with different levels of permissions as necessary for different groups of your experimenters – it is very cheap
and DON’T:
- Don’t bundle together experimenters of vastly different levels of experience and goals into the same project – create separate projects and request different levels of permissions for them to minimize the risk
- Don’t keep experimenters as members of your projects if you have lost touch or no longer feel responsible for them – remove them from the projects promptly
- Don’t create and manage projects on behalf of someone else – remember, you are responsible for the behavior of the experimenters you add to projects. Do not add to projects people you are not personally familiar with.
Some examples of the situations to which the DOs and DONTs may apply: