NorduGrid Acceptable Use Contract
Adopted from the European DataGrid Usage Guidelines
The NorduGrid Testbed is an
international project with the aim to set up and test the Grid
infrastructure for distributed computing and data handling in Nordic
countries, relying on existing high-performance networks, commodity
computing resources and available middleware.
The purpose of this document is to lay down the rules governing the
use of these resources, in conjunction with the rules of each site
concerned. These rules can be modified as the NorduGrid project
evolves, in conjunction with the rules of the Testbed sites. The
rules of each partner and each site remain applicable, as does the
legislation of each state concerned. The various sites of the various
partners shall collaborate to solve security incidents. The Testbed
resources may only be used for professional purposes.
This document applies to all members
of the NorduGrid Testbed. In the event of a security incident, the
rules of the site concerned and the legislation of the State(s)
concerned shall be applied.
- Testbed
- All the resources dedicated to the development of the NorduGrid
project at the participating sites.
- Testbed Resources
- The term "Testbed resources" shall generally be used to describe:
- all the computers, workstations and servers that make up the Testbed;
- the telecommunications networks connecting these computers;
- the data storage systems connected to the Testbed;
- all the other active components and networks connected to the Testbed;
- all the support services, programme libraries, applications and
other software, documents or services operating on or connected to the
above-mentioned computers and networks.
- Certification authority
-
A Certification Authority (CA) is a body responsible for establishing
and, thereafter, guaranteeing a formal link between a person,
application, or server and a public key (chain of 1024 bits or
more). Its role is to verify the correctness of the information
contained in the electronic identification certificate it issues, as
well as to guarantee the validity of this document. The setting-up of
a Certification Authority entails the definition of a Certification
Policy (CP) and a Certification Practice Statement (CPS), a collection
of rules indicating to what the certificate is applicable, by whom,
and what are the conditions of the CA's implementation from the legal,
administrative and technical viewpoints. The NorduGrid CA is established at
the NBI, Copenhagen, Denmark, and acts as the official CA for the
Nordic countries: Denmark, Finland, Norway and
Sweden.
- Certificate
-
The certificate is an electronic document, digitally signed by the
Certification Authority, that asserts to an association between an
identifier and a particular public key. The Certification Authority
asserts, to the level defined in its CP and CPS, that this identifier
is associated with an identity (a person, application, or site), by
issuing a digitally signed certificate and by not including this
certificate in the Certificate Revocation List published by the CA.
At the moment of issuing a certificate, the CA asserts to a level
defined in its CP and CPS that
- for a person, a defined relationship existed between the owner and
the identifier or identifiers stated in the certificate,
- for an application, a defined relationship existed between the
signed object and the identifier(s) stated in the certificate,
- for servers, a relationship existed between a known person
responsible for this system and the identifier of the system as stated
in the certificate.
The certificate is based on standardised protocol X509 (ITU-T X 509
international standard V3 - 1996) (RFC2459).
- User
- A person with access to the NorduGrid Testbed resources.
- Virtual Organization
- Virtual Organisation (VO) is the user and service management
system, consisting of the user and service database and a
corresponding set of tools.
- NorduGrid membership
- A NorduGrid membership gives access to the Testbed resources made
available by the participating sites.
Access authorisations are strictly personal and may under no
circumstances be transferred to a third party, even
temporarily. Authorisations may be withdrawn with due cause at any
time and expire upon termination, even temporary, of the professional
activity for which they were granted.
An applicant should be a resident in one of the
abovementioned Nordic countries. The procedure of
becoming a NorduGrid member comprises following steps:
- obtaining a personal certificate from the NorduGrid
Certification Authority
- agreement to these usage guidelines, and
- registration with the NorduGrid virtual
organization by contacting a corresponding NorduGrid site
manager
If an applicant is not affiliated with any of
NorduGrid partner
sites, he/she should come in contact with the
NorduGrid coordinator.
Implementation of the NorduGrid security procedures and responce to
security incidents is the responcibility of each NorduGrid site manager.
Although the Testbed's constituent sites undertake to contribute
to the maintenance and protection of their computing installations,
they cannot provide a guarantee of the latter's smooth operation or
the confidentiality of the information stored there. Consequently, the
Testbed's constituent sites accept no responsibility in the event of
information loss or breach of confidentiality.
All the memberships are equipped with appropriate access
protection, such as passwords, and with an individual certificate
issued by the NorduGrid Certification Authority.
All members are responsible for their use of the Grid resources
and the network to which they have access. They also have
responsibility, at their own level, for contributing to the general
security of the Grid.
Members shall:
- adhere to the security recommendations of the site to which they
belong, the recommendations of the sites they access via the Testbed
and those of the Testbed itself,
- report to the their local security officer any attempt to violate
their user account or workstation and, generally, any anomaly that
comes to their attention,
- report immediately to the issuing Certification Authority any
compromise of the private key of their certificates,
- report any security faults immediately to the local security
officer,
- not try to exploit any security faults in the Testbed resources,
or to use such faults to the detriment of other computer facilities,
- select safe passwords, endeavour to keep them secret and under no
circumstances communicate them to third parties,
- use the Testbed resources without intentionally causing damage to
the Testbed, or disturbing its operation unless these activities are
part of an authorized stress test of the Testbed; use of the Testbed
resources must be rational and relevant in order to prevent its
saturation or misuse for personal ends,
- use their membership for the sole purpose for which it was
granted,
- not use or attempt to use accounts/memberships other than their
own or to disguise their real identity,
- not try to gain unauthorised access to accounts, stored data or
data transiting on the network, except under the provisions of the
paragraph "Third-party access to user accounts", below,
- not to give or to allow unauthorised users access to the Testbed
resources via resources at their disposal,
- keep confidential all information obtained from access to the
Testbed resources that they may reasonably be expected to understand
is confidential or sensitive in nature,
- respect the property rights associated with the Testbed resources,
including the copyright on software and property rights relating to
confidential data.
Members shall authorise the publication of their personal details
in electronic directories and databases, as long as these are
necessary for obtaining access to the Testbed. These details may be
consulted by all the Testbed sites.
Members who have been attributed an account with privileged access
in connection with their specific professional duties must advise
their corresponding NorduGrid site manager as soon as their duties no
longer call for privileged access.
The computer administrators and all expressly authorised persons
have access to the information stored in the Testbed computing
facilities. Such access is subject to the following conditions :
- the above-mentioned persons are only authorised to communicate
information amongst themselves, except where expressly required for
the execution of their duties with respect to the Testbed.
- Access for such persons must always be in the exercise of their
professional duties, and shall only be authorised, with the member's
consent, for the following purposes:
- to solve problems affecting the Testbed computing facilities,
including optimisation of the latter or the installation of new
facilities;
- detection of computer security weaknesses or violations;
- monitoring of the resources available;
- to conduct an enquiry ordered by the computing security officer of
a Testbed site or the relevant hierarchical supervisor when a breach
of the rules is suspected;
- the re-attribution of access rights to accounts or the
cancellation of membership upon expiry of a member's contract with one
of the NorduGrid project partners, or when the member's activities are
no longer compatible with the aims of the project.
- to re-establish the normal operation of the organic unit to which
a member belongs when operation is seriously disturbed by the member's
absence.
The member concerned shall be liable for damage resulting from any
breach of these rules.
In that event and as a general rule, the administrator of the
site(s) concerned and/or the relevant hierarchical supervisor shall
inform the member concerned to explain the nature of the problem
detected or breach of the rules observed. In the event of further
incidents, the member concerned shall be informed in writing by one of
the persons mentioned above of the provisions of the present Rules
that have been breached.
In the event of repeated breaches following the measures set out
above, or at any time when circumstances so require due to the gravity
of the breach committed, the administrator of the site in question may
withdraw the right of access to the Testbed computing resources from
the member concerned.
In the event of a security incident, the rules of the site
concerned and the legislation of the State(s) concerned shall be
applied. The administrator of the site where the incident occurred
shall advise the partner concerned. All the NorduGrid project partners
shall work together to remedy the situation.