Mostly Cumin

Things about the Cumin web UI for Condor (and other random insights).

Role Enforcement in Cumin

Roles in Cumin scope activities and content in the UI. There are currently two roles defined in Cumin, admin and user. The admin role is a superset of the user role, and every new account has the user role by default.

Differences in the Roles

The admin role allows a user to see various charts, graphs, and statistics related to performance of the Condor pool. An admin can also see information about Condor infrastructure components such as schedulers and negotiators and can run certain pool management commands. Admins are free to manage any job running in the pool regardless of who owns the job, but can also switch to the user view for the admin account.

The user role allows a user to create and manage their own submissions. They do not have visibility to jobs owned by other users, performance metrics, or pool management commands.

Enabling Role Enforcement

Role enforcement is disabled by default in the standard Cumin configuration file, effectively making every user an admin (the default will change in a future revision). To enable role enforcement, set the auth configuration value to True in the cumin.conf configuration file:

[web]
authorize: True  

Setting Role Values

The role value is part of the account metadata along with username and password. While username and password may optionally be managed in LDAP repositories, role values at this time may only be defined in the local PostgreSQL database. This restriction will likely be removed in a future version. You can read more about LDAP authentication in the earlier blog post Cumin Authentication with LDAP, and we’ll explain how to set roles for external user accounts below.

Roles are managed with the cumin-admin commands add-assignment and remove-assignment:

# cumin-admin add-assignment joeuser admin
# cumin-admin remove-assignment joeuser admin

(An account may have the user and admin roles at the same time, but currently this has no real effect since admin is a superset. It is not necessary to explicitly set the user role.)

Creating an Entry to Hold the Role for an LDAP Account

For accounts authenticated against LDAP, an entry must be added to the PostgreSQL database as a placeholder before the role value may be set. This is done with the cumin-admin command external-user:

# cumin-admin external-user myldapuser
# cumin-admin add-assignment myladpuser admin

More to Come

A future post may address the relationship of roles to persona and talk about development hooks that allow customization of the UI based on user and site profiles.

The Cumin project wiki can be found here