Roles in Cumin scope activities and content in the UI. There are currently two roles defined in Cumin,
admin role is a superset of the
user role, and every new account has the
user role by default.
Differences in the Roles
admin role allows a user to see various charts, graphs, and statistics related to performance of the Condor pool. An admin can also see information about Condor infrastructure components such as schedulers and negotiators and can run certain pool management commands. Admins are free to manage any job running in the pool regardless of who owns the job, but can also switch to the
user view for the admin account.
user role allows a user to create and manage their own submissions. They do not have visibility to jobs owned by other users, performance metrics, or pool management commands.
Enabling Role Enforcement
Role enforcement is disabled by default in the standard Cumin configuration file, effectively making every user an admin (the default will change in a future revision). To enable role enforcement, set the
auth configuration value to
True in the cumin.conf configuration file:
[web] authorize: True
Setting Role Values
The role value is part of the account metadata along with username and password. While username and password may optionally be managed in LDAP repositories, role values at this time may only be defined in the local PostgreSQL database. This restriction will likely be removed in a future version. You can read more about LDAP authentication in the earlier blog post Cumin Authentication with LDAP, and we’ll explain how to set roles for external user accounts below.
Roles are managed with the
# cumin-admin add-assignment joeuser admin # cumin-admin remove-assignment joeuser admin
(An account may have the
admin roles at the same time, but currently this has no real effect since
admin is a superset. It is not necessary to explicitly set the
Creating an Entry to Hold the Role for an LDAP Account
For accounts authenticated against LDAP, an entry must be added to the PostgreSQL database as a placeholder before the role value may be set. This is done with the
# cumin-admin external-user myldapuser # cumin-admin add-assignment myladpuser admin
More to Come
A future post may address the relationship of roles to persona and talk about development hooks that allow customization of the UI based on user and site profiles.
The Cumin project wiki can be found here