[gin-auth] GIN VO Usage Rules.
David Bannon
D.Bannon at vpac.org
Sun Aug 20 22:26:08 CDT 2006
Hmm, some pretty good points there Stephen.
Especially the one about forcing us to test our assumptions....
Editing a little for brevity, some things beyond question ....
On Thu, 2006-08-17 at 19:21 +0100, Stephen M Pickles wrote:
> Oscar, David, Dave, and friends,
>
> One good thing about GIN is that it tests our assumptions
> about what VOs and Grids actually are.
> Skip forward to ****, unless you want to read my views on this.
> * have significant funding, governance & policy of their own
Interesting question is "does their policy overide that of a facility
they may use". I suggest no, but it should add to that policy's
restrictions.
> * often have access rights to resources they do not control
> It seems to me that in practice there is usually a consumer-provider
> relationship between VOs and (production) Grids.
Yep, exactly.
> I don't believe it is useful to think of the Grid as being
> a member of all the VOs it supports.
Yep, exactly. Are very separate layers.
> I think it can occasionally be useful to think of a Grid as
> itself being a VO,
I think in these situations, while I agree with what you say, that the
model is not a good example of the issue. When a Grid is seen as a
consumer of services that it then supplies to end users its not really
acting as a grid in its own right. I'd see it quite easy to separate out
those functions so you original statement that a Grid is not a VO still
stands.
Generally, we see the situation here as being a case of "Here is the
APAC grid. Here are its rules. If your group is to become a VO and use
the APACGrid's capabilities, you must accept these rules. You can of
course add your rules on top, but only where they don't conflict with
the APACGrid rules."
Implicit in this approach is that, in a way, we charge the Project
Leader of the VO to ensure that the people he/she accepts into the VO
(using VOMRS) are aware of the rules and accept them. We have a step in
the VOMRS registration process where the new user is exposed to the
rules. But in the long run, its a Project Leader's responsibility .....
>
> I think that there is not a "GIN Grid", in the sense that there
> is, and can be, no overall management of the collective resources.
> However, there could in theory be a GIN view of the collective
> resources that a GIN user sees.
Yep
> I therefore think that it is possible to have an AUP for the GIN VO,
> and indeed that we need one.
In many ways, the "GIN VO" is not typical of what we need to deal with
long term. Its an artificial structure that assumes users will not make
large scale use of its associated resources, its there for testing,
research etc. Therefore its quite reasonable to apply a AUP that is not
what we would recommend for a more normal setup.
> I do not believe that it is possible for there to be an AUP for the
> GIN Grid, because there is (I argue) no such thing as a GIN Grid,
> and there is certainly no governance body that could agree one.
I agree here too. The idea of the GIN Grid having a formal AUP but no
formal resources is a bit silly.
> Hence I propose to have only a VO AUP for GIN.
> Such a thing will serve to remind GIN users of a few basics
> of social behaviour. It will not, cannot, and must not be
> construed to, give GIN members a license to ignore any
> specific terms and conditions of the underlying Grids.
> A GIN member that uses APAC is a user of APAC.
> A GIN member that uses NGS is a user of NGS.
> A GIN member that uses EGEE is a user of EGEE.
>
> Have I explained myself?
Indeed. I'd suggest that the VO AUP specifically state that there is an
impliciant inclusion of the AUP of the site or grid being used at the
time. Would have to be 'being used at the time' because if you tried to
#include<all_APUs> there would be unacceptable conflicts.
> We can always quibble about the actual wording later.
Yep, lets put some words together, keeping in mind that we are covering
only the things specific to Gin VO. Happy to help.
David
>
> Stephen
>
> > -----Original Message-----
> > From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
> > On Behalf Of Oscar Koeroo
> > Sent: 17 August 2006 08:31
> > To: Stephen.Pickles at manchester.ac.uk
> > Cc: D.Bannon at vpac.org; Kelsey, DP (David); gin-auth at ggf.org
> > Subject: Re: [gin-auth] GIN VO Usage Rules.
> >
> > Hi,
> >
> > Disclaimer: I don't know if I'll be expressing myself perfectly here,
> > Dave can correct me on this.
> >
> > Dave Kelsey's Grid AUP is intended to be used by everybody in the LCG
> > and OSG collaboration. Well, actually it started of being for LCG only
> > ofcourse. Over time on developing The AUP (capitalize 'The' intended)
> > for general use seemed to be not realistic. Meaning there is the
> > infrastructure with its rules and there are the users that are in a VO
> > using the infrastructure with the VO's view on the
> > infrastructure doing
> > the VO-work.
> >
> > With the seperation between the infastructure and the VO, the VO as
> > embodyment of a collaborative project can agree on the Grid rules. The
> > understanding of Sites is they too have a say in it and in such a way
> > that the infrastructure is ofcourse based on the indivual
> > usage rules of
> > sites.
> >
> > I believe it's both simpel and (very) complex. The related
> > parties User,
> > VO, Site, Infrastructure all wish to have a say in the story, but
> > realisticly that doesn't scale.
> >
> > I believe Dave's work is focussing in a AUP to be able to be accepted
> > for all Grid environments. Which ofcourse means that VO specific AUP
> > details need to be put in. If your in a HEP VO you'll not be generally
> > concerned about privacy of all your files. If your in a
> > Bio-medical VO,
> > that's a whole different ballgame with respect to the privacy
> > regulations around this planet.
> >
> > The GIN VO is something special that I have never came across
> > of before
> > it started. Although with Dave Snelling on a busdrive in
> > Greece sometime
> > ago I had a filosofical debate about 'what is a VO'. The GIN
> > VO doesn't
> > have a dedicated management, no centralize place or person that's
> > pointable as the { Boss | management | descision maker }. It seems (to
> > me) totally distrobuted in trying to reach its common goal to
> > interoperate beyond a VO's boundry.
> >
> > To the point:
> > I believe if we can agree on a common Grid AUP across the globe that
> > this would benifit us all. For the moment it would be nice enough if
> > each Grid environment would atleast setup one general purpose AUP.
> > Although I don't think it would differ that much from the DaveK's
> > results. Maybe each Grid can take a look at the evolutionary
> > path of the
> > Grid AUP with Dave. I believe it would benifit all parties.
> >
> > I would think an AUP for the GIN VO will basicly be a specialized
> > overlay AUP (I would call it a VO AUP) that generally states
> > what a user
> > can expect from the resources and vice-versa.
> >
> >
> >
> > Oscar
> >
> >
> >
> >
> > David Bannon wrote:
> >
> > >Stephen, as a discussion point, the APACGrid, representing
> > eight or nine
> > >partners and more sites has developed what we call an End User
> > >Agreement. It was developed buy combining all partner EUAs,
> > removing the
> > >obvious non grid material and "distilling" as much as
> > possible to reduce
> > >wordage.
> > >
> > >Please see
> > http://www.vpac.org/twiki/bin/view/APACgrid/EndUserAgreements
> > >
> > >Interestingly, a number of partners have indicated that they plan to
> > >rewrite their existing agreement and base it on this one !
> > >
> > >David
> > >
> > >
> > >On Wed, 2006-08-16 at 18:04 +0100, Stephen M Pickles wrote:
> > >
> > >
> > >>I hope some of you remember this thread. It's become
> > >>something of a loose end, and needs tying off.
> > >>
> > >>I think that the text provided by Dave Kelsey is a good
> > >>starting point, and I'm willing to draft an adaptation of
> > >>this for an AUP for the GIN VO.
> > >>
> > >>What I'm not sure about is whether there's any point
> > >>in trying to preserve EGEE's separation between a "Grid AUP"
> > >>and a "VO AUP". For example, I can't see that an existing
> > >>grid (like NGS) is likely to throw away its own AUP and adopt
> > >>a GIN AUP instead. I also think it awkward to have two AUPs
> > >>that reference each other.
> > >>
> > >>So, will not a single document (i.e. an AUP for the GIN VO)
> > >>do for GIN?
> > >>
> > >>I propose to:
> > >>
> > >>1) draft a single-document AUP for GIN, merging text from
> > >> Dave Kelsey's Grid AUP (more or less verbatim)
> > >> and VO AUP (adapted for GIN and its goals)
> > >>2) add some words that amount to a "when in Rome clause"
> > >> (to remind users that many of the grids involved in GIN
> > >> have their own AUPs, which should be respected)
> > >>3) add some words that amount to a reminder that a user's access
> > >> rights under the GIN VO are for testing, monitoring,
> > >> proof-of-concept, not large scale production work
> > >> (users planning large scale production work should
> > >> make independent applications to the grid(s) they
> > >> intend to use).
> > >>4) I think there's a problem with clause (1) of the
> > >> Grid AUP for people who are members of multiple VOs.
> > >> I'll try to fix that in the process.
> > >>
> > >>Any comments or objections?
> > >>
> > >>Stephen
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>>-----Original Message-----
> > >>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
> > >>>On Behalf Of Kelsey, DP (David)
> > >>>Sent: 04 May 2006 20:12
> > >>>To: gin-auth at ggf.org
> > >>>Subject: RE: [gin-auth] GIN VO Usage Rules.
> > >>>
> > >>>Dear all,
> > >>>
> > >>>I have only just joined the gin-auth list. I have been
> > >>>meaning to do so
> > >>>for some time, but only got around to it when Oscar Koeroo
> > >>>told me about
> > >>>this recent thread on AUPs etc.
> > >>>
> > >>>I would like to tell you what we have been doing on this
> > >>>topic in EGEE,
> > >>>Open Science Grid and various other related EU Grid
> > projects, in the
> > >>>hope that it may be useful to GIN. If it does not work for
> > >>>GIN it would
> > >>>also be good to understand why, in case we can improve things.
> > >>>
> > >>>As Stephen Pickles already said, EGEE does have VO-specific
> > >>>AUP's and we
> > >>>do have a general Grid AUP which uses the term "Grid". But
> > different
> > >>>from what he said, we used this term deliberately not only to mean
> > >>>"EGEE" but also to mean any other Grid which decides to
> > adopt the same
> > >>>policy, for example Open Science Grid in the USA. The policy was
> > >>>developed jointly with them and actually built on early
> > work they had
> > >>>done to prepare a short, simple AUP. The aim was to
> > produce a simple
> > >>>common policy to promote interoperation.
> > >>>
> > >>>The background to this work was as follows:
> > >>>
> > >>>1. We needed to develop policies which would work for VO's using
> > >>>multiple Grids. Users needed to register just once with
> > their VO which
> > >>>would then grant them access to resources on multiple
> > Grids. We do NOT
> > >>>require the users to register with the sites or the Grid
> > >>>infrastructures.
> > >>>2. We very quickly came to the conclusion that there was
> > absolutely no
> > >>>way we could take the existing network and site AUPs and merge them
> > >>>altogether into one long document that would be a super-set of the
> > >>>others. With more than 200 sites in 40 countries this is a
> > >>>non starter.
> > >>>3. The legal experts we consulted seemed to agree that use
> > of the Grid
> > >>>(being after all just another internet application) was
> > >>>already covered
> > >>>by all of the network and site AUPs whether we mentioned them
> > >>>or not, so
> > >>>suggested we did not mention them explicitly.
> > >>>4. We wanted a policy which was deliberately as short as
> > possible to
> > >>>stand some chance of acceptance by other Grids and in the
> > >>>hope the users
> > >>>would read and understand.
> > >>>5. We concluded that it was best to have a general Grid AUP
> > >>>accepted by
> > >>>*ALL* Grid users during their registration with a VO and that any
> > >>>VO-specific details were best expressed in a VO AUP. Sites
> > could then
> > >>>decide whether or not to offer resources to a particular
> > VO based on
> > >>>their policy, safe in the knowledge that the user has
> > already accepted
> > >>>the general AUP.
> > >>>
> > >>>So... here is our "Grid AUP" (short enough to include verbatim)...
> > >>>
> > >>>------------------------------------------
> > >>>
> > >>>By registering with the Virtual Organization (the "VO") as
> > a GRID user
> > >>>you shall be deemed to accept these conditions of use:
> > >>>
> > >>>1. You shall only use the GRID to perform work, or
> > transmit or store
> > >>>data consistent with the stated goals and policies of the
> > VO of which
> > >>>you are a member and in compliance with these conditions of use.
> > >>>
> > >>>2. You shall not use the GRID for any unlawful purpose and
> > >>>not (attempt
> > >>>to) breach or circumvent any GRID administrative or
> > security controls.
> > >>>You shall respect copyright and confidentiality agreements
> > and protect
> > >>>your GRID credentials (e.g. private keys, passwords),
> > >>>sensitive data and
> > >>>files.
> > >>>
> > >>>3. You shall immediately report any known or suspected
> > security breach
> > >>>or misuse of the GRID or GRID credentials to the incident reporting
> > >>>locations specified by the VO and to the relevant
> > credential issuing
> > >>>authorities.
> > >>>
> > >>>4. Use of the GRID is at your own risk. There is no
> > guarantee that the
> > >>>GRID will be available at any time or that it will suit
> > any purpose.
> > >>>
> > >>>5. Logged information, including information provided by you for
> > >>>registration purposes, shall be used for administrative,
> > operational,
> > >>>accounting, monitoring and security purposes only. This
> > >>>information may
> > >>>be disclosed to other organizations anywhere in the world for these
> > >>>purposes. Although efforts are made to maintain confidentiality, no
> > >>>guarantees are given.
> > >>>
> > >>>6. The Resource Providers, the VOs and the GRID operators
> > are entitled
> > >>>to regulate and terminate access for administrative,
> > operational and
> > >>>security purposes and you shall immediately comply with their
> > >>>instructions.
> > >>>
> > >>>7. You are liable for the consequences of any violation by
> > >>>you of these
> > >>>conditions of use.
> > >>>
> > >>>------------------------------------------------------------
> > >>>
> > >>>And here is an example VO AUP ... again rather short as you can
> > >>>see.......
> > >>>At the very least it needs to define the goals of the VO
> > such that the
> > >>>individual users are constrained by point 1 of the general
> > AUP to only
> > >>>perform work consistent with these goals.
> > >>>
> > >>>------------------------------------------------------------
> > >>>
> > >>>This Acceptable Use Policy applies to all members of the
> > >>>Geant4 Virtual
> > >>>Organization, hereafter referred to as the VO, with reference
> > >>>to use of
> > >>>the LCG/EGEE Grid infrastructure, hereafter referred to as
> > >>>the Grid. The
> > >>>Geant4-Spokesman, <name-removed> (CERN), owns and gives
> > authority to
> > >>>this policy. The goal of the VO is to validate the software
> > >>>they provide
> > >>>to their users (HEP experiments such as ATLAS, CMS, LHCb, Babar,
> > >>>Astrophysics applications, biomedical communities, etc)
> > twice per year
> > >>>within the Grid environment. This procedure should cover a
> > >>>wide range of
> > >>>parameters and physical models which are high CPU demanding.
> > >>>At the same
> > >>>time they are planning to use regularly the LCG/EGEE
> > resources to make
> > >>>analysis and studies of their toolkit. Members and
> > Managers of the VO
> > >>>agree to be bound by the Grid Acceptable Use Policy, VO
> > >>>Security Policy
> > >>>and other relevant Grid Policies, and to use the Grid only in the
> > >>>furtherance of the stated of the VO.
> > >>>
> > >>>------------------------------------------------------------
> > >>>
> > >>>I hope you might find this useful.
> > >>>
> > >>>Regards
> > >>>Dave Kelsey
> > >>>
> > >>>
> > >>>------------------------------------------------
> > >>>Dr David Kelsey
> > >>>Particle Physics Department
> > >>>Rutherford Appleton Laboratory
> > >>>Chilton, DIDCOT, OX11 0QX, UK
> > >>>
> > >>>e-mail: D.P.Kelsey at rl.ac.uk
> > >>>Tel: [+44](0)1235 445746 (direct)
> > >>>Fax: [+44](0)1235 446733
> > >>>------------------------------------------------
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> >
> >
> >
>
More information about the gin-auth
mailing list