Introduction

When an observer or an observing team comes out to Hawaii for an observing run on the JCMT, an account is needed on the JAC computing systems for use by the team. In the past, we have provided a Guest Account mechanism (the infamous GUEST00 login on the VAX systems) which allowed each member of an observing team to create an individual, temporary account. When Sun/UNIX systems were added to the JAC computing infrastructure, the Guest Accounts were extended so that a user could work in both the UNIX and VMS environments from the same account. The Guest Account mechanism, however, applied only to the Hilo systems - at the summit, visiting observers typically logged in to the JCMTUSER account to reduce their data as it was received. This approach has a number of problems:

ØThe present Guest Account mechanism does not exist at the summit. A coordinated setup, involving all sites (summit, HP, and JAC) and all computers (VAXes, Suns) would be much more elegant and user friendly.

ØThe number of current guest accounts is finite which, at times, created problems.

ØThe JCMTUSER password is, necessarily, known to a large group of people worldwide, which is a general security risk.

ØThe JCMTUSER account gives access to the current observations for anyone knowing the password.

ØAs the JCMT moves toward a RDBMS-based data archiving system, a need arises for some form of personilised authenticated access to the database while the data is proprietory (1-2 years). While database access does not imply login access, for the convenience of the user and of the Archive Administrator, it is useful for the database id-password pair to at least be based on the original login id-password pair.

Because of these and other problems, a new procedure was needed.

Design

Over the past few months a new procedure has been developed for the assignment of accounts to JCMT Observers. The design goals of this procedure were:

Ø It should be consistent - the observer's login and password should be the same, whether the login is on a Hilo VAX, a JCMT Summit VAX, or any JAC UNIX system (or eventually, the RDBMS Archive).

Ø It should be convenient - once the accounts have been created, any JCMT Telescope Operator or Support Scientist should be able to provide the visiting observer with the correct login id and password.

Ø It should be secure - consistent with the previous item, while it should be easy for authorized staff to have access to the account passwords,it should not be easy for unauthorized persons. Also, one account should not have access to the another account's data.

Ø It should be script-driven: a single command procedure should create the accounts, setup permissions, activation and deactivation dates for all sites on the JACH network. At the start of each semester a list with PATT numbers and observation dates should serve as input for the script.

Implementation

Recently, an Observer Account mechanism has been implemented which is consistent with the design goals as outlined in the previous section.

Observers arriving at the JAC will have a login on any host with as login name their PATT number. A custom utility, only executable by JCMT Staff, can be used to disclose the password for the account. Users who need the password prior to arrival should contact their support scientist.

On the summit computers (MWTRED (VAX) and IEIE (Sun) --- domain: jcmt.jach.hawaii.edu --- the accounts are only activated during a very short period around the observation date (of the order of days). On all other systems --- domain: jach.hawaii.edu --- the accounts will be remain accessible for a period of several weeks after the observations have been completed. Because of this and the fact that the link between the summit and JAC may not be available at certain times, a separate home directory exists at the summit and at the JAC. Observers who wish to continue to work on their data after the observation (i.e. while at the JAC) must use FTP or rcp to copy the files to their JAC home directory.

Similar to the current system on MWTRED, the home directories for visitors at the summit are set up as

DISK$USER:[JCMTUSER.OBSERVE.userid], which is being automounted by the Sun (/home/userid). This scheme allows a user to access data from either the VAX or a Sun: data will be written to the home directory. For users who prefer to use the VAX, nothing much changes. Users who prefer a Sun will have to open a remote DECterm (running on the VAX, displaying on the Sun) to run SPECX, until such time UNIX-SPECX becomes available. However, FITS files created with SPECX can directly be read into CLASS or IRAF, which are both available on the summit Sun. Similar, Sun editors can be used on any of the text files.

In Hilo, the visitors' home directories are automounted from the VAX disk DISK$JCMTDATA:[userid]. Note that the Hale Pohaku Sun MOEMOE is a Hilo machine for login purposes.

Final notes (by RPT)

The new setup as outlined above may seem rather straightforward and trivial, in fact it is build upon an extensive and complex integration of the underlying computer network at the JAC. Development of this network has been a major achievement of Henry Stilmack and David Fuselier this past year. Remarkably, most of this work has been fully transparent to the users. Every effort will be made to avoid complications while moving to the new Accounts Mechanism, but in case of unexpected problems, we encourage observers not to hesitate in asking JCMT support staff for help.

Henry Stilmack & Remo Tilanus, JAC