How Accounts are Managed at NERSC
This document describes how users and project managers can manage both user
accounts and project accounts (called repositories).
How Users can Manage their User Accounts
Users can manage various aspects of their user account setup.
-
User Contact Information:
Contact information for each user is kept in the NERSC Information management
(NIM) system.
In order to communicate
effectively with users and in order to abide by DOE computer use regulations
we must have the following information for each user: name, citizenship,
email address, work phone number, and work institution (organization).
Users are expected to keep their information current.
To see your Personal Contact Information page in NIM
select My Contact Info from
the My Stuff pull-down list in the NIM main menu. To update this information,
select the Update link.
-
Changing your Password and Shell on Machines managed by LDAP:
LDAP (which stands for Lightweight Directory Access Protocol) is being used to
manage a number of NERSC machines, including
PDSF,
Bassi and
Jacquard.
All LDAP-managed machines share a common password, which is the same as your
NIM password. If you need to change a password on such a machine, change your
NIM password and the new password will be propagated to the LDAP-managed
machines within a few minutes. To change your NIM password, select Change
NIM Password from the Actions pull-down list in the NIM main menu.
On LDAP managed machines you must also use NIM to cahnge your default shell.
To do
this, select Change Shell
from the Actions pull-down list in the NIM main menu.
-
MPP Default Charge Repository:
Allocations of NERSC computer time are awarded into project accounts, called
repositories or repos. Each user has a default repository.
All interactive
charges are charged to the default repo. Batch jobs are also charged to the
default repo if no repo (account) is specifically assigned to the job.
Users can see their default repo in the NERSC Information Management
(NIM) system on the Account Usage Summary page.
This is the page that is displayed when you first login to NIM (or select My
Account Usage from the NIM main menu). Look at the columns:
- Dflt Now?: a Y indicates the default repo currently in effect
- Base Repo? a Y indicates that this is the repo you have chosen (or
were given) as your default repo. This will be your default repo unless your
user balance is negative in that repo, in which case NIM will set another repo
(if you have one) as your temporary default repo.
To change your base default repo, select Change Default Repo from the Actions
pull-down list in the NIM main menu.
See also MPP Accounts and
Charging.
-
HPSS Project Percents:
Allocations of Storage
Resource Units are awarded into project accounts called HPSS repos.
If a login name belongs to only one HPSS repo all of its usage is charged to
that repo. If a login name belongs to multiple HPSS repos its daily charge is
apportioned among the repos using the project percents for that login name.
Default project percents are assigned by NIM based on the size of each
repo's storage allocation.
Users can see their project percents
on the Account Usage Summary page in NIM.
This is the page that is displayed when you first login to NIM (or select My
Account Usage from the NIM main menu). Look at the column Proj %
in the HPSS repo display area.
To change your project percents, select Change SRU Proj Pct from the
Actions
pull-down list in the NIM main menu.
How Project Managers can Manage their Users and Repositories
Project Managers should read A NIM Guide for PIs, PI
Proxies and Project Managers
for information on how to add and delete users,
check balances, change user quotas,
transfer resources and perform other account management functions.
Allocation Management
Repositories (both MPP and HPSS) that haven't used significant amounts of
time (or SRUs)
are adjusted at certain times by transferring a part of the unused balance to the
corresponding DOE Office reserve. The following schedule will be used for
allocation year 2009 (which runs January 13 2008 through January 11 2009).
- On April 14:
- if usage is less than 10% remove 25% of the unused balance
- On July 14:
- if usage is less than 25% remove 25% of the unused balance
- if usage is less than 10% remove 50% of the unused balance
- On October 13:
- if usage is less than 50% remove 25% of the unused balance
- if usage is less than 25% remove 50% of the unused balance
- if usage is less than 10% remove 80% of the unused balance
- On November 17:
- if no usage close the repo and transfer balance to the reserve
What happens if a repo or user balance is negative
Accounting information is sent from the computational machines and HPSS to NIM once
daily (in the early morning, Pacific Time).
At this time actions are taken if a repo or user balance is negative.
If a repo runs out of time (or Storage Resource Units)
all login names which are not associated with another active repository
are restricted:
- On computational machines restricted users are able to log in, but
cannot submit
batch jobs, or run parallel jobs, or run lengthly interactive programs.
- For HPSS restricted users are able to read data from HPSS and delete files but cannot
write any data to HPSS.
Login names that are associated with more than one repo (for a given resource
-- MPP or HPSS) are checked to see if
the user has a positive balance in any of her or his repos (for that resource). If he or she
does have a positive balance in some repo (for that resource) s/he will
not be restricted and the following will happen:
- On computational machines the user will not be able to charge to the restricted repo. If
the restricted repo had been the user's default repo, a new (temporary) default
repo is assigned to the user (it can be any one of the user's remaining
repos). For more information see Running
Out of Time.
- For HPSS, repos that are negative continue to incur SRU charges every day for
each member that has HPSS files. This is because there is a daily charge for
files stored within HPSS.
Also, project percents are not adjusted when a repo goes
negative. For more information see
What
happens if a repo or user SRU
balance is negative?.
The PI and project managers receive an email notifying them that the repo is
negative. They should send an email to their
NERSC
Allocations Manager stating how much time
(or SRUs)
the repo needs for the rest of the allocation year.
If and when the repo receives additional time (or SRUs), any users that have been
restricted will be unrestricted within two hours of transferring new time to
the repo.
Likewise, when a user goes over her/his individual user quota
in a given repo, that user is restricted if s/he has no other repo to charge
to.
A PI or Project Manager
can change the user's quota. See the
instructions for
changing user quotas.
Login Name Management
On most NERSC hosts, each user has a single login name, which can charge to
one or more repos.
Your login name on a given host can be in one of the states decribed below.
These states are registered in NIM
and displayed on
NIM's Logins by Host page. A case where NIM does not know the user's status on a
host is if the user has had 3 or more failed login attempts. If this happens
to you,
call the Account Support group at 800-666-3772, menu option 2, or 510-486-8612
to have your password failures cleared.
- Active
-
The usual state for active users in repos with a positive balance.
- Active - to be removed
-
The user is still active on HPSS but is scheduled to be deleted from their last
project at NERSC (HPSS staus only).
See User Deletion Process.
- Restricted - negative
-
This happens if either the user cannot charge to any repo.
When a (login, repo) pair runs out of time:
- If the the user can still charge to some repo, the depleted repo is removed
from the list the user can charge to (and the user remains active).
- If the user has no repo to charge the user is restricted. This means that
the user's
interactive computing is limited and no batch computing is allowed.
If more allocation is added to the repo, the user is unrestricted.
- Limited - to be removed
-
The user has been restricted (the user's
interactive computing is limited and no batch computing is allowed) in
preparation for removal.
See User Deletion Process.
- Disabled - no Form
-
The user's account (username) has been created in a disabled state because the
user has not yet faxed to NERSC the Computer Use Policies Form.
- Disabled - inactive
-
The user has not logged in for the past 90 days and has been disabled.
The user can no longer login to a system,
but the user's account and files remain intact.
This is checked at the beginning of every month and affected users
are notified by email.
To be re-enabled call the Account Support
group at 800-666-3772, menu option 2, or 510-486-8612.
- Disabled - not authorized
-
The user has no allocation on this machine (but has been registered with than
machine so that the NERSC Global Filesystem can display user names and group
names rather than uids and gids).
- Disabled - to be removed
-
The user has been disabled in preparation for removal.
See User Deletion Process.
- Disabled
-
The user has been temprarily disabled.
The user can no longer login to a system,
but the user's account and files remain intact.
NERSC Account Support staff will contact disabled users to re-enable them.
- Archived
-
The user's permanent data has been archived to HPSS.
- Crypt
-
The user's HPSS data has been moved to the HPSS crypt (not yet implemented;
HPSS status only).
- Deleted
-
The username has been removed from the host.
User Deletion Process
When a user is removed from a computational system
When a user is removed from one of the NERSC computational systems (but still
remains authorized to use other NERSC resources) the following happens:
- The user is placed in Limited status on the system and is notified by
email about the removal process. The user retains the Limited status for one
month. While in Limited status the user can still login to the system but
cannot submit batch jobs or run long interactive jobs. While in Limited status
the user is responsible for:
- Deleting files that are no longer needed.
- Moving personal files (not needed by any NERSC project) to their home
site, to HPSS, or to some other NERSC
computational system where the user is still active.
- Ensuring that files needed by any project of which s/he has been a
member are retained by the project.
- After one month in Limited status the user is Disabled (can no longer
login) and retains the Disabled Status for at least five months. During this
time the user can be easily re-activated.
-
After five months of Disabled status the user's permanent files
are eligible to be archived
to HPSS, after which the username may be removed from the system.
When a user is removed from a project
PIs and Project Managers decide when a user should be removed from a project.
Users who are removed from a project receive an email to that effect.
If the user is still a member of other projects, the user is simply removed
from the departed project repositories (and can no longer charge to them) but
otherwise remains active at NERSC.
When a user is removed from their last project at NERSC the following happens:
- The user goes through the user deletion process on each computational
system for which they have an account (see above).
The user remains active on HPSS during the month of limited status on the
computational systems.
-
After one month the user is placed in Limited Status on HPSS and has
read/delete access there. The user retains Limited status on HPSS for 5 months.
While in Limited status
the user is responsible for:
- Deleting files that are no longer needed.
- Moving personal files (not needed by any NERSC project) to their home
site.
- Ensuring that files needed by any project of which s/he has been a
member are retained by the project.
- After 5 months of Limited Status on HPSS the user is disabled on HPSS.
The user's files are now eligible to be moved to the HPSS crpt where they will
remain for at least 18 months before being deleted. This step has not yet been
implemented.
|