wiki:MultiUser

Version 6 (modified by davea, 13 years ago) (diff)

--

Multi-user projects

This document describes a set of BOINC server features that support projects with multiple job submitters, or users. A user may represent a single scientist, a research group, or some other organizational entity, An example of a multi-user project is a science portal such as NanoHUB.org.

Such projects are typically structured so that users interact with the project through a web-based interface, and only project admins have login access to the BOINC server.

BOINC's design supports the following goals:

  • The set of users may be large (1000s) and dynamic.
  • The project's resources are shared fairly among users, based on quotas.
  • Privacy: users cannot in general see the computational results of other users.
  • Flexible access control.

User identity

Users are identified by BOINC project accounts (same as volunteers). Users may also be volunteers; i.e. they may supply computing resources to the project. (this may affect their quota; see below).

Access control

The following operations are subject to access control:

  • Submitting jobs
  • Creating and deprecating apps
  • Creating and deprecating app versions
  • Aborting jobs (possibly those submitted by other users)
  • Changing access rights

For each user, the BOINC access control system defines a set of global privileges and optionally a set of per-app privileges for each app.

The global privileges include

  • submit_all_apps. If this flag is set, the user can submit jobs to any application, included those added in the future.
  • admin_all_apps. If this flag is set, the user
    • has admin privileges for all apps (see below)
    • can grant and revoke the privileges of any user
    • can create and deprecate apps
    • set user quotas (see below)

The per-app privileges include

  • the ability to submit jobs to the app
  • admin: if this flag is set, the user can
    • create and deprecate versions of the app
    • grant and revoke per-app permissions for this app
    • abort any job of this app
    • view the output files of any job of this app

Users can be given admin_all_apps permission via the User access control link in the project admin web interface. All other access control is done via the submit_permissions.php page on the main web site.

User quotas

Each user has a quota which determines how much computing resource they get if there is contention. Roughly speaking, if a set of users are contending for resources, the amount that each one gets is proportional to their resource share.

The way in which quotas are determined is up to the project. Some possibilities:

  • Each user attaches their own PCs to the BOINC project, and their quota is the recent average credit of these hosts.
  • Volunteers attached to the project can assign shares of their resource to scientists, and a scientist's quota is the sum of these, weighted by the volunteer average credit.
  • A user's share is increased if they contribute to the portal, e.g. by participating in the message boards.

Quotas can be manually set by users with the admin_all_apps privilege, via a web interface.

Implementation notes

Two new DB tables support the multi-user features

  • user_submit: per-user access control and quota info
  • user_submit_app: per (user, app) access control info.