Friday, 11 June 2010

Licensed to grid

Software licensing: where legalise and technical gobbledy-gook meet.

When you hit the 'I agree' button - after carefully reading the license terms, naturally - you are promising the software vendor that you will look after their little bundle of binary and not let it fall into the wrong hands.

It is not always easy to identify whose hands are the wrong ones. Licenses can cover individuals or research groups, users of a particular host or whole institutions and, sometimes, national and international collaborations. They do not usually cover whole grids.

So in addition to the technical issues, you need to keep licensing in mind if you make a resource available to people outside your research group or institution. This posting will describe some of the techniques developed by the NGS partners to cope with the complicated business of licensing on a grid.

Starting with the simplest problem. Free software is comparatively painless as long as 'free' means Open-source licensed. Examples of this kind of package from the list of applications available on the NGS partner sites include GROMACS and AUTODOCK 4.

Commercial software will typically enforce license rules using something like Flexera Software's FlexNet Publisher - what many system administrators still refer to as FlexLM. FlexNet is frequently used to provide floating licenses: where a license service can be configured to hand out licenses from a pool.

And sitting awkwardly in the middle are those applications that use could be called honesty box licensing. There are no technical barriers preventing the code from running but users must agree to license terms before they are allowed to run them.

Honesty box licensing covers packages such as: Amber, Castep, DL_POLY, GAMESS (US) PC-GAMESS/Firefly. Academics can typically obtain the rights to use thse packages for a comparatively small fee - or even for nothing - as long as they are used for academic research. Licensing is seen as a means of tracking users or protecting intellectual property rather than as a way of making money.

NGS partner sites have ways of providing access to FlexNet licensed software and that relying on the honesty box approach.

Where FlexNet in used, sites have installed the software but do not provide a valid local license.

These packages are aimed at users with access to floating licenses and their own FlexLM license servers. The users need to arrange their local firewalls so this license server is accessible from the NGS partner site. FlexNet generally allows the location of license to be specified via an environment variable such as LM_LICENSE_FILE.

NOTE: If you are thinking of using this approach, you need to confirm that the legal bits of the license allow it.

Honesty box licenses are usually managed by restricting access to the software to a particular group of users. Only accounts belonging to users who are known to have signed the license are added to the group.

This is where The Grid adds an extra layer of complexity. Many sites automatically allocate an account only on the first time that user's certificate is seen. You cannot be in the group if you do not have an account.

Hopefully, any nastiness is hidden from the license holder. If you are a license holder, simply contact the helpdesk on after your first use of a resource and ask to be granted access to the application.

Whoever answers the request will need to confirm that you are a legitimate license holder. This will usually be nothing more than a short email exchange but can be more drawn out for more commercially sensitive packages.

Neither the NGS staff or the user want to go through this process more than once so we need to record who the known licensees are.

As we are a virtually organised, we add the licensees to a special virtual organisation and assign them to groups representing particular applications. Sites admins can download the group membership from the VO and use this to control local group membership.

Sites can update the groups by whatever mechanism best fits their systems. At Leeds, we use a locally written tool called x509runsetgid.

X509runsetgid is available from the NGS area at NeSCForge and uses the Unix set-group-id or setgid mechanism. The tool will launch a program as if owned by a particular group only if the user presents a certificate that recognised as part of that group. The list of users is usually downloaded from the VO.

The set-group-id approach is not without problems. The major one is that proxy certificates typically last 12 hours, so if the queues are long and the job takes a while to start running, the proxy is no longer valid by the time it is checked.

We are improving the way we support the VO as part of the NGS's Research and Development work.

The VO has been maintained manually: a rather slow and painstaking business.

Over the last few weeks, the database developers at Manchester have added tagging to the NGS User Accounts Service. A tag is simply a label that can be associated with a group of users, a virtual organisation and a role or group within that virtual organisation.

Development work is underway to automatically update the membership of selected virtual organisations, including from the information in the tags.

We will, of course, be making as much of the software as we can available.... under an open-source license.

No comments: