EDITO group projects
EDITO incorporates a feature that allows multiple users to share access to the same resources within a project. While this can be extremely beneficial for collaboration, be aware that it might be exploited by a malicious user within the group to leverage the privileges of another project member.
Always monitor shared resources and maintain proper user access control to prevent such security breaches.
Datalab
On top-left part of the Datalab, you can now change the current context from your personal project to a shared group project you have been added to. Below are the fundamental changes between personal projects and group projects.
Secrets
All members of a group project can access the group project secrets from self-services launched in their personal project or from the group project. The access is associated to their personal vault token. The group project does not have a vault token.
WE DO NOT RECOMMEND ASSOCIATING A VAULT TOKEN WITH SHARED SERVICES, otherwise other members of the group project could access your personal project secrets. We recommend configuring the service to accept secrets in a dedicated configuration tab (at launch time), instead.
Files
All members of a group project can access the group project storage from self-services launched in their personal project or from the group project. The access is associated to their personal minio token. The group project does not have a minio token.
WE DO NOT RECOMMEND ASSOCIATING A MINIO TOKEN WITH SHARED SERVICES, otherwise other members of the group project could access your personal project storage. We recommend configuring the service with a dedicated minio token with appropriate restrictions, instead.
Project settings
The project settings are shared with all the group project members. If, for example, you add an S3 configuration, it will be available to all members.
Services and processes
Any members of the group projects can launch a service or a process. The launched service or process will be launched in the name of the user but will run in the project namespace, with the resource configuration of the project.
Project service and process catalogs
It is possible to setup service and/or process catalogs with access restricted to the group members. All members of a group project can access these catalogs in new categories in the “Service catalog” and “Process catalog” pages.
Please contact the support if you need group-restricted catalogs.
Administration
It is possible at any time and by any member of a group project to get an overview of “who launched what” in the group project namespace. To do so, you need a terminal on EDITO with the “edit” or “admin” Kubernetes roles; for example, you can launch a Jupyter-python with “edit” role. Then, in the terminal, run:
/opt/showRunningServicesAndProcesses.shIt will output a summary of all the running services and processes with their owner usernames, and indicates if they are shared or not.
Group project administration
For now, group projects are only administrated by EDITO administrators.
Create a group project
Please contact the support and indicate the name for your group project as well as the people you want in it.
Add a new group project member
Please contact the support if you need to add a member to an existing group project.
Work with an external bucket
Some group projects have an external bucket configured to allow for huge storage capacity.
From the datalab, in the project namespace, go to Project settings and then edit the configuration that has Data source: s3.waw3-1.cloudferro.... You will need the following values:
- URL
- Working directory path
- Access key ID
- Secret access key
Now in a terminal, using the Minio Client, you can set an alias for the configuration:
mc alias set ALIAS URL ACCESSKEY SECRETKEYWhere:
ALIAS: whatever you want,s3for exampleURL,ACCESSKEY,SECRETKEY: the ones from above
Now you can run:
mc cp myfile.txt <ALIAS>/<Working directory path>/myfile.txt