This howto explains how to manage the "New user and new project" i.e. requests for a user to register to the Cloud and asking for the creation of a new project.

The procedure to be followed is described in the following flowchart








Details on the single steps are described below

"New user and new project" request [1]

To manage a user registration request, log as admin in the Dashboard and click on Admin → Identity panel → Registrations. You will see the list of the pending requests.

Select the relevant request and click on Action → Details to see all the information concerning the request 


Did the user register using an IdP? [2]

Supported IdPs are INFN-AAI and Unipd SSO

If a user registered via INFN-AAI, the proposed user name is something like user@infn.it. If the username is somehow weird (e.g. TF-18555@infn.it), before pre-checking the request, please contact the Servizio Calcolo @ INFN Padova to check if this is normal or if they need to fix something in the INFN-AAI account of this person).


You can check if a user registered via the Unipd Idp (Unipd SSO) if the proposed user name is something like user@unipd.it or user@studenti.unipd.it.


Could the user register using an IdP ? Or is this a "spam" [3]

If the user didn't try the registration using an IdP. In this case you should try to figure out if the user really can't register through a supported IDP.

  • To check if a user is registered in AAI you can refer to this info: http://wiki.infn.it/cn/ccr/aai/howto/useldap. In particular you can configure the AAI address book and search the user in that address book. Besides verifying that the user is in the address book, you have to also verify also that the placework (e.g. 'pd', 'lnl', etc.)is specified. This info should be among the "Work" related information.
  • UNIPD SSO: Unfortunately there are not blessed methods to figure out if a user is registered in the UniPd SSO (but in general all Unipd staff and all students should be registered in the Unipd SSO)

Other hints:

  • You can use this link to see if a user willing to register is known to INFN Padova (and also to know the expiration of his contract)


In general you might need to interact with the user (via e-mail) to understand why she didn't/she couldn't register using an IdP (and also to understand if the request is "valid" and is not a spam)


Reject request [4]

Select the relevant request and click on Action → Reject.

In the message field please explain why the request was rejected. You might want to explain the decision also via e-mail


The project is for ? [5]

You have to understand if this request if for a Unipd project, a INFN project or if it is for a "CloudVeneto" (i.e. non INFN, non Unipd) project.

Generally you should be able to get this information from the "Home institution" field of the request.

If it is:

  • xxx.unipd.it, this should be a request for a Unipd project
  • xxx.infn.it: this should be a request for a INFN project
  • in all other cases, this should be a request for a "CloudVeneto" (i.e. non INFN, non Unipd) project

You might need to contact via e-mail the person if this is not clear and/or ask the other cloud administrators.


Check if the Unipd project can be created and in case get the relevant information [6]

If the "Home institution field" is other.unipd.it this means that the request is coming from a department which is not member of the CloudVeneto collaboration. In this case  in general we should ask Alberto Garfagnini if the request can be accepted. In case ask Massimo Sgaravatto if he knows something about this request.


In all other cases, please get in touch the contact person(s) that you can see selecting the relevant request and then clicking on Action → Details, as shown in the example picture below.




Send an e-mail to this(these) contact persons (CC-ing the user who submitted the request), asking:

  • if the project should be created
  • if it is OK that the user who requested the project is the manager of such project
  • the expiration date of the project
  • if the request was for a private project, ask why this is needed (specify that private projects are discouraged and will be accepted only for valid reasons)


Check if the CloudVeneto project can be created and in case get the relevant information [7]

Request for non INFN, non Unipd projects in general should be decided by Alberto Garfagnini. In case ask Massimo Sgaravatto if he knows something about this request


Check if the INFN project can be created and in case get the relevant information [8]

Request for INFN projects should be only for approved INFN experiment, and the person asking for the project should be the local team leader of this experiment.

If you are not sure about a request, please ask Massimo Sgaravatto.


Then you should check if the user requesting the new project is compliant with the INFN policies. This means that the user must be registered in INFN-AAI and:

  • he/she must have a verified digital identity (LoA2)
  • he/she must declare to have read and accepted the INFN rules for the use of IT resources
  • he/she must have followed the "Corso di Sicurezza Informatica - BASE"


In case let the user know about the problem. E.g. if the user is not compliant with the third requirement send him/her a mail such as:



We received your request for registration for CloudVeneto infrastructure .
Since you requested the access to INFN resources, please note what is reported at:

http://userguide.cloudveneto.it/en/latest/Registration.html#prerequisites-for-using-infn-resources

In particular we noticed that you didn't follow the IT Security course. This must be done within 30 days after the registration.
To follow the course, please go to:

https://elearning.infn.it/course/view.php?id=105

Regards
The CloudVeneto support team



If the project can be created, ask the user who submitted the request:

  • the expiration date of the project
  • if the request was for a private project, ask why this is needed (specify that private projects are discouraged and will be accepted only for valid reasons)



Authorize project and user creation [10]

Select the relevant request and click on Action → Authorize all to authorize the request.

A form will appear.


If the user registered using user-password (i.e. not through an Idp) you might need to change the user name. In general the user name should be the family name, or "contains" part of the family name. E.g. for user Mario Rossi, valid user name could be "mrossi", "mariorossi", "rossi" ("mario", "sonofigo", "wjuve" are instead not acceptable as username)


You then need to set the expiration date (you should know this information from the previous step).


You may need to change the Project name.  As a best practice the project name should be under 20 chars


If you are going to create:


  • a INFN project:
    • Select "INFN" as "Available units"
    • Select the relevant(s) Unit or Department
    • Choose a 10.64 network from "Available networks"
  • a Unipd project:
    • Select "Unipd" as "Available units"
    • Select the relevant(s) Unit or Department
    • For what concerns "Available networks":
      • If this is a project for DFA you have two options (ask the other colleagues if you are not sure)
        • a 10.64 network
          • To be used in general if this project will be used by persons who have an account at INFN/DFA (e.g. researchers).
          • In this case users affiliated with the project will have to be compliant with the INFN rules for IT resources
          • Access to the VMs will be possible from INFN/DFA LAN without going through a gate
        • a 10.67 network
          • to be used in general if this project will be used by persons who don't have an account at INFN/DFA (e.g. students)
          • In this case it is NOT necessary that users affiliated with the project have to be compliant with the INFN rules for IT resources
          • Access to the VMs will be possible only going through a gate
      • If this is a project for another department, select a 10.67 network
  • a CloudVeneto (i.e. non INFN, non Unipd) project
    • Select "CloudVeneto" as "Available units"
    • Select a 10.68 network from "Available networks"


When you have filled all the information, click "Ok"



Create account on gate [11]

You now need to create the user on the gate machine. This must be done for each user, even if he/she doesn't need it.


Login with your personal account in gate.cloudveneto.it
Acquire root privileges:


sudo su -


Execute the script:

add-user-gate <USERNAME> <USER_EMAIL>


(e.g. add-user-gate pmazzon paoloemilio.mazzon@unipd.it)


The username on the gate will be the first char of name with the surname for a maximum of 8 characters (modulo conflicts). Examples:

  • Gianpietro Sella –> gsella
  • Paolo Mazzon –> pmazzon
  • Massimo Sgaravatto –> msgarava


Final steps [12]

Update the relevant page under Networking with the information about the new created network.


Notify the Cloud governance about the new project. by sending an e-mail to:

cloud-unipd-gov@lists.pd.infn.it

Example:


Vi informo che e` stato creato su CloudVeneto il nuovo progetto AbinitioTransport


Descrizione:

We run density functional theory and post density-functional theory (namely the GW-BSE approach) for
calculating from first-principles transport properties such as effective masse, electron and hole lifetimes.
Starting from test calculations we aim to study materials
relevant for solar cell devices. We will focus in particular on hybrid organic-inorganic perovskites. - DFA


Project manager: paolo.umari@unipd.it


Cordiali saluti, Massimo Sgaravatto