Acacia access and identities

Owned by Sean Fleming
about 3 hours ago
2 min read

Introduction

Access to Acacia is achieved through S3 credentials; rather than a direct Pawsey username and password login. This page provides some information on the implications of this in terms of user identities and how Acacia projects are structured. It is intended as background information for project administrators seeking to implement access control policies.

Identities in Acacia

When S3 credentials are created using Pawsey’s Origin interface (see: https://pawsey.atlassian.net/wiki/x/-E0YAw) the “Storage Name” will have been set to either a Pawsey username or the name of a particular project (eg pawsey0123).

If the S3 credentials were generated using a Pawsey username, the Acacia identity will be:

arn:aws:iam:::user/<username>

If “Storage Name” was set to the name of a project, then the Acacia identity will be:

arn:aws:iam::<project-uuid>:

The actual value of the project-uuid is shown in the Origin interface when creating S3 credentials for that particular project.

Project types

Currently, there are two configurations for collaborative Acacia projects at Pawsey:

  • group access (the default)

  • individual access

There is also a small fixed amount of private storage given to every user for personal use. This is accessible by creating S3 credentials with the storage class set to the user’s Pawsey username.

Group access

This is the default configuration for Acacia projects. Here, everyone who is a member of the project (as shown in the Origin portal) will effectively have the same identity when they log in to acacia:

arn:aws:iam::<project-uuid>:

Consequently, there is no way to create policies that can can distinguish between project members and grant different levels of access. However, if we take a user with Pawsey username “personA”, who is not a member of the project, then you could add a policy that grants them access via the identity:

arn:aws:iam:::user/<personA>

It is possible to control Acacia access by removing all members (except admins) from your Pawsey group project so that you can add them using the above method. However, if your project has access to other resources (eg the Supercomputer) then members will lose access to this as well, which may not be desirable.

Individual access

This is a manual configuration that permits more fine-grained control on Acacia access, and is currently only available by request to the Pawsey Helpdesk. Here, the membership of a project in Origin is not used by the associated Acacia project in favour of a customised list of admins who are granted full access. In most cases this list will likely be the same as in Origin, but it is maintained separately. Under this configuration, regular project members (as shown in Origin) will have no access to the project’s Acacia allocation. If access is desired, one of the admins must add an explicit policy for the person’s Pawsey identity:

arn:aws:iam:::user/<pawsey-username>

This will then allow that person to use S3 credentials, created using their Pawsey username, to access the project according to the specific policy permissions.