CESNET

Usage rules

Please get acquainted with the MPI-Kickstart usage rules before becoming a full member. You need to accept the rules before continuing.

Introduction

The goal of the MPI-Kickstart VO is to bring together users of MPI and providers of resources with MPI capabilities to improve the reliability and performance of MPI across the EGI.eu grid. Therefore users are allowed to use the VO's resources only in connection with the proclaimed goal.

Definitions

MPI-Kickstart

The computing service consisting of all the resources dedicated to MPI-Kickstart at the participating sites.

MPI-Kickstart Resources

The term "MPI-Kickstart Resources" shall generally be used to describe:

  • all the computers, workstations and servers that make up MPI-Kickstart;
  • the telecommunications networks connecting these computers;
  • the data storage systems connected to MPI-Kickstart;
  • all the other active components and networks connected to MPI-Kickstart;
  • all the support services, programme libraries, applications and other software, documents or services operating on or connected to the above-mentioned computers and networks.

MPI-Kickstart Site

A physical location or institute providing MPI-Kickstart Resources.

Certification Authority

A Certification Authority (CA) is a body responsible for establishing and, thereafter, guaranteeing a formal link between a person, application, or server and a public key (chain of 1024 bits or more). Its role is to verify the correctness of the information contained in the electronic identification certificate it issues. The setting-up of a Certification Authority entails the definition of a Certificate Policy (CP) and a Certification Practice Statement (CPS), and the establishment of a set of rules defining the criteria for the award of the Certificate, its detailed scope and any procedures relating thereto.

Certificate

The certificate is an electronic document, digitally signed by a Certification Authority, that asserts to an association between an identifier and a particular public key. The Certification Authority asserts, to the level defined in its CP and CPS, that this identifier is associated with an identity (a person, application, or machine), by issuing a digitally signed certificate and by not including this certificate in the Certificate Revocation List published by the CA.

At the moment of issuing a certificate, the CA asserts to a level defined in its CP and CPS that

  • for a person, a defined relationship existed between the owner and the identifier or identifiers stated in the certificate,
  • for an application, a defined relationship existed between the signed object and the identifier(s) stated in the certificate,
  • for servers, a relationship existed between a known person responsible for this system and the identifier of the system as stated in the certificate.

The certificate is based on standardised protocol X509 (ITU-T X 509 international standard V3 - 1996) (RFC2459).

User

A person with access to the MPI-Kickstart Resources.

MPI-Kickstart user account

A MPI-Kickstart user account gives access to the MPI-Kickstart Resources made available by the participating sites.

Access authorisations are strictly personal and may under no circumstances be transferred to a third party, not even temporarily. Authorisations may be withdrawn at any time and expire upon termination of the professional activity for which they were granted.

Virtual Organization

A Virtual Organization (VO) is a dynamic set of individuals and/or institutions that are defined according to a set of coordinated resource sharing rules. These sharing rules cover access to all types of resources including computers, software and data. Other VO(s) will be created and maintained as required by the project and/or by different user groups. Users may be members of one or more VO(s).

Procedure for obtaining an MPI-Kickstart user account

The procedure for obtaining a MPI-Kickstart user account comprises three steps:

1. obtaining a personal certificate from an approved Certification Authority
2. agreement to these usage rules, and
3. registration with the CE virtual organization (MPI-Kickstart)

Rules governing the use of MPI-Kickstart resources

Although MPI-Kickstart sites undertake to contribute to the maintenance and protection of their computing installations, they cannot provide a guarantee of the latter's smooth operation or the confidentiality of the information stored there. Consequently, the MPI-Kickstart sites accept no responsibility in the event of information loss or breach of confidentiality.

All the accounts are equipped with appropriate access protection, such as account codes or passwords, and with an individual certificate issued by the relevant Certification Authority.

All users are responsible for their use of the MPI-Kickstart resources and the network to which they have access. They also have responsibility, at their own level, for contributing to the general security of MPI-Kickstart.

Users shall:

1. use MPI-Kickstart Resources in the general spirit of the MPI-Kicstart VO's mission, which is to improve reliability and usability of MPI in the Grid; this icludes running MPI testing jobs, and regular MPI jobs for functionality/stability/performance verification,
2. adhere to the security recommendations of the site to which they belong, the recommendations of the sites they access via MPI-Kickstart and those of MPI-Kickstart itself,
3. report to their local security officer any attempt to violate their user account or workstation and, generally, any anomaly that comes to their attention,
4. report immediately to the issuing Certification Authority any compromise of the private key of their certificates,
5. report any security faults which may have influence on the MPI-Kickstart infrastructure immediately to the local security officer,
6. not try to exploit any security faults in the MPI-Kickstart resources, or to use such faults to the detriment of other computer facilities,
7. select safe passwords as defined by the CA policy, endeavour to keep them and the private keys secret and under no circumstances communicate them to third parties,
8. use the MPI-Kickstart resources without intentionally causing damage to MPI-Kickstart, or disturbing its operation unless these activities are part of an authorized stress test of MPI-Kickstart; use of the MPI-Kickstart resources must be rational and relevant in order to prevent its saturation or misuse for personal ends,
9. use their user accounts for the sole purpose for which it was granted,
10. not use or attempt to use accounts other than their own or to disguise their real identity,
11. not try to gain unauthorised access to accounts, stored data or data transiting on the network, except under the provisions of the paragraph "Third-party access to user accounts", below,
12. not to give or to allow unauthorised users access to the MPI-Kickstart resources via resources at their disposal,
13. keep confidential all information obtained from access to the MPI-Kickstart resources that they may reasonably be expected to understand as confidential or sensitive in nature,
14. respect the property rights associated with the MPI-Kickstart resources, including the copyright on software and property rights relating to confidential data.

Users shall authorise the publication of their personal details in electronic directories and databases, insofar as necessary for or in connection with the operation of MPI-Kickstart. These details may be consulted by all the MPI-Kickstart sites. Users may need to be contacted by some MPI-Kickstart sites for additional information not covered by this agreement. Any such additional information will not be distributed further or published.

Users who have been attributed an account with privileged access in connection with their specific professional duties must advise their supervisor as soon as their duties no longer call for privileged access.

Third-party access to user accounts

Officers responsible for computer security at the MPI-Kickstart sites and the computer administrators have access to information stored in the MPI-Kickstart computing facilities.

Such access is subject to the following conditions:

1. The above-mentioned persons are only authorised to communicate information amongst themselves, except where expressly required for the execution of their duties with respect to MPI-Kickstart.
2. Access for such persons must always be in the exercise of their professional duties and shall be authorised, strictly on a need to know basis, for the following purposes only:

  • to solve problems affecting the MPI-Kickstart computing facilities, including optimisation of the latter or the installation of new facilities;
  • detection of computer security weaknesses or violations;
  • monitoring of the resources available;
  • to conduct an enquiry ordered by the computing security officer of a MPI-Kickstart site or the relevant hierarchical supervisor when a breach of the rules is suspected;
  • the re-attribution of access rights to accounts or the cancellation of accounts upon expiry of a user's contract with one of EGI's participating institutes, or when the user's activities are no longer compatible with the aims of the MPI-Kickstart infrastructure purposes.
  • to re-establish the normal operation of the organic unit to which a user belongs when operation is seriously disturbed by the user's absence.

Responsibilities

The user concerned shall be liable for damage resulting from any breach of these rules.

In that event and as a general rule, the computing security officer(s) of the MPI-Kickstart site(s) concerned and/or the relevant hierarchical supervisor shall inform the user concerned and explain the nature of the problem detected or breach of the rules observed. In the event of further incidents, the user concerned shall be informed in writing by one of the persons mentioned above of the provisions of the present rules that have been breached.

The security officer of the site where the incident occurred shall advise the security officer(s) of any other site(s) concerned. All the security officers of the MPI-Kickstart sites shall work together to remedy the situation.

In the event of repeated breaches following the measures set out above, or at any time when circumstances so require due to the gravity of the breach committed, the security officer of the site in question may withdraw the right of access to the MPI-Kickstart computing resources managed by the security officer from the user concerned.

Concluding remarks

  • The MPI-Kickstart Usage Rules are under continual development and therefore they might not been complete yet, i.e. they are open for additions and amendments.
  • The actual valid version of MPI-Kickstart usage rules will be available on the following URL: http://egee.cesnet.cz/cms/opencms/en/mpi/rules.html.