Admin limit folder access to users

abasle · December 18, 2023, 5:53pm

Hi,

Is there a way to setup cryosparc so the users have access to only a given folder folder?

For example during users setup to make such folder for project creation.

We need to restrict each user space to have a fair use of the resources. Alternatively is there a way to limit the space each user is having access to in their profile?

Cheers,
Arnaud

wtempel · December 19, 2023, 8:10pm

Thanks @abasle for the suggestions, which we recorded.

Directory permissions and storage quota may currently be addressed by running separate CryoSPARC instances under different Linux accounts. Multiple CryoSPARC instances can share

the same master host if each instance is assigned its unique, non-overlapping port range and license id
worker nodes controlled by an external workload manager

ctueting · January 17, 2024, 3:18pm

But this is in general a nice feature request. In my understanding, as the master node is running a on the UNIX system, see’s, what the cryosparc_user sees. Which is in principle anything (at least the folder/file structure). I am not sure, if one can chroot the web app access to a list of folders.

E.g., the EM images are on subfolders in /mnt, and the shared project storage server as well, there is no need that the user can see the contents of /etc. Would be awsome, to have some configuration of “visible” paths.

On short term, a default project folder would be nice.
Because, by default new project can be created in $HOME, but the user should do this on a shared drive in e.g., /mnt/cryosparc_projects. So each time, they need to copy&paste or navigate through the system to find the correct place. Worst case, they create in $HOME and the server crashes because it’s running out of local storage.

Best
Christian

abasle · January 17, 2024, 3:41pm

Hi,

With the number of users/project I manage having multiple instances/port range for cryosparc would not be a solution.

But having an area for the users that they cannot change would be great. The area would be defined at configuration or user creation by the admin. Any project created by a given user would be in their space (or space for a group it does not matter as long as the choice is for the admin).

I use and manage a CCP4 cloud (for x-ray data) which offer users a remote interface to process their data. Users have access to the raw data folder setup on the share. Can read their home folder or any other share that the admin make available. But the users never see their project area and cannot write data outside of their project area.

Cheers,
Arnaud