NorduGrid Acceptable Use Contract

Adopted from the European DataGrid Usage Guidelines

1. Introduction

The NorduGrid Testbed is an international project with the aim to set up and test the Grid infrastructure for distributed computing and data handling in Nordic countries, relying on existing high-performance networks, commodity computing resources and available middleware.

The purpose of this document is to lay down the rules governing the use of these resources, in conjunction with the rules of each site concerned. These rules can be modified as the NorduGrid project evolves, in conjunction with the rules of the Testbed sites. The rules of each partner and each site remain applicable, as does the legislation of each state concerned. The various sites of the various partners shall collaborate to solve security incidents. The Testbed resources may only be used for professional purposes.

This document applies to all members of the NorduGrid Testbed. In the event of a security incident, the rules of the site concerned and the legislation of the State(s) concerned shall be applied.

2. Definitions

Testbed
All the resources dedicated to the development of the NorduGrid project at the participating sites.
Testbed Resources
The term "Testbed resources" shall generally be used to describe:
  • all the computers, workstations and servers that make up the Testbed;
  • the telecommunications networks connecting these computers;
  • the data storage systems connected to the Testbed;
  • all the other active components and networks connected to the Testbed;
  • all the support services, programme libraries, applications and other software, documents or services operating on or connected to the above-mentioned computers and networks.
Certification authority
A Certification Authority (CA) is a body responsible for establishing and, thereafter, guaranteeing a formal link between a person, application, or server and a public key (chain of 1024 bits or more). Its role is to verify the correctness of the information contained in the electronic identification certificate it issues, as well as to guarantee the validity of this document. The setting-up of a Certification Authority entails the definition of a Certification Policy (CP) and a Certification Practice Statement (CPS), a collection of rules indicating to what the certificate is applicable, by whom, and what are the conditions of the CA's implementation from the legal, administrative and technical viewpoints. The NorduGrid CA is established at the NBI, Copenhagen, Denmark, and acts as the official CA for the Nordic countries: Denmark, Finland, Norway and Sweden.
Certificate
The certificate is an electronic document, digitally signed by the Certification Authority, that asserts to an association between an identifier and a particular public key. The Certification Authority asserts, to the level defined in its CP and CPS, that this identifier is associated with an identity (a person, application, or site), by issuing a digitally signed certificate and by not including this certificate in the Certificate Revocation List published by the CA.
At the moment of issuing a certificate, the CA asserts to a level defined in its CP and CPS that
  • for a person, a defined relationship existed between the owner and the identifier or identifiers stated in the certificate,
  • for an application, a defined relationship existed between the signed object and the identifier(s) stated in the certificate,
  • for servers, a relationship existed between a known person responsible for this system and the identifier of the system as stated in the certificate.
The certificate is based on standardised protocol X509 (ITU-T X 509 international standard V3 - 1996) (RFC2459).
User
A person with access to the NorduGrid Testbed resources.
Virtual Organization
Virtual Organisation (VO) is the user and service management system, consisting of the user and service database and a corresponding set of tools.
NorduGrid membership
A NorduGrid membership gives access to the Testbed resources made available by the participating sites.
Access authorisations are strictly personal and may under no circumstances be transferred to a third party, even temporarily. Authorisations may be withdrawn with due cause at any time and expire upon termination, even temporary, of the professional activity for which they were granted.

3. Procedure of becoming a NorduGrid member

An applicant should be a resident in one of the abovementioned Nordic countries. The procedure of becoming a NorduGrid member comprises following steps:
  1. obtaining a personal certificate from the NorduGrid Certification Authority
  2. agreement to these usage guidelines, and
  3. registration with the NorduGrid virtual organization by contacting a corresponding NorduGrid site manager
If an applicant is not affiliated with any of NorduGrid partner sites, he/she should come in contact with the NorduGrid coordinator.

4. Organisation of security on the Testbed

Implementation of the NorduGrid security procedures and responce to security incidents is the responcibility of each NorduGrid site manager.

5. Rules governing the use of Testbed resources

Although the Testbed's constituent sites undertake to contribute to the maintenance and protection of their computing installations, they cannot provide a guarantee of the latter's smooth operation or the confidentiality of the information stored there. Consequently, the Testbed's constituent sites accept no responsibility in the event of information loss or breach of confidentiality.

All the memberships are equipped with appropriate access protection, such as passwords, and with an individual certificate issued by the NorduGrid Certification Authority.

All members are responsible for their use of the Grid resources and the network to which they have access. They also have responsibility, at their own level, for contributing to the general security of the Grid.

Members shall:

  1. adhere to the security recommendations of the site to which they belong, the recommendations of the sites they access via the Testbed and those of the Testbed itself,
  2. report to the their local security officer any attempt to violate their user account or workstation and, generally, any anomaly that comes to their attention,
  3. report immediately to the issuing Certification Authority any compromise of the private key of their certificates,
  4. report any security faults immediately to the local security officer,
  5. not try to exploit any security faults in the Testbed resources, or to use such faults to the detriment of other computer facilities,
  6. select safe passwords, endeavour to keep them secret and under no circumstances communicate them to third parties,
  7. use the Testbed resources without intentionally causing damage to the Testbed, or disturbing its operation unless these activities are part of an authorized stress test of the Testbed; use of the Testbed resources must be rational and relevant in order to prevent its saturation or misuse for personal ends,
  8. use their membership for the sole purpose for which it was granted,
  9. not use or attempt to use accounts/memberships other than their own or to disguise their real identity,
  10. not try to gain unauthorised access to accounts, stored data or data transiting on the network, except under the provisions of the paragraph "Third-party access to user accounts", below,
  11. not to give or to allow unauthorised users access to the Testbed resources via resources at their disposal,
  12. keep confidential all information obtained from access to the Testbed resources that they may reasonably be expected to understand is confidential or sensitive in nature,
  13. respect the property rights associated with the Testbed resources, including the copyright on software and property rights relating to confidential data.

Members shall authorise the publication of their personal details in electronic directories and databases, as long as these are necessary for obtaining access to the Testbed. These details may be consulted by all the Testbed sites.

Members who have been attributed an account with privileged access in connection with their specific professional duties must advise their corresponding NorduGrid site manager as soon as their duties no longer call for privileged access.

6. Third-party access to user accounts

The computer administrators and all expressly authorised persons have access to the information stored in the Testbed computing facilities. Such access is subject to the following conditions :

  1. the above-mentioned persons are only authorised to communicate information amongst themselves, except where expressly required for the execution of their duties with respect to the Testbed.
  2. Access for such persons must always be in the exercise of their professional duties, and shall only be authorised, with the member's consent, for the following purposes:
    1. to solve problems affecting the Testbed computing facilities, including optimisation of the latter or the installation of new facilities;
    2. detection of computer security weaknesses or violations;
    3. monitoring of the resources available;
    4. to conduct an enquiry ordered by the computing security officer of a Testbed site or the relevant hierarchical supervisor when a breach of the rules is suspected;
    5. the re-attribution of access rights to accounts or the cancellation of membership upon expiry of a member's contract with one of the NorduGrid project partners, or when the member's activities are no longer compatible with the aims of the project.
    6. to re-establish the normal operation of the organic unit to which a member belongs when operation is seriously disturbed by the member's absence.

7. Responsibilities

The member concerned shall be liable for damage resulting from any breach of these rules.

In that event and as a general rule, the administrator of the site(s) concerned and/or the relevant hierarchical supervisor shall inform the member concerned to explain the nature of the problem detected or breach of the rules observed. In the event of further incidents, the member concerned shall be informed in writing by one of the persons mentioned above of the provisions of the present Rules that have been breached.

In the event of repeated breaches following the measures set out above, or at any time when circumstances so require due to the gravity of the breach committed, the administrator of the site in question may withdraw the right of access to the Testbed computing resources from the member concerned.

In the event of a security incident, the rules of the site concerned and the legislation of the State(s) concerned shall be applied. The administrator of the site where the incident occurred shall advise the partner concerned. All the NorduGrid project partners shall work together to remedy the situation.