Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default 'nothing allowed' state for ServiceComputePrivacy #90

Closed
kremalicious opened this issue Mar 22, 2021 · 4 comments
Closed

Default 'nothing allowed' state for ServiceComputePrivacy #90

kremalicious opened this issue Mar 22, 2021 · 4 comments
Labels
Type: Epic

Comments

@kremalicious
Copy link

At the moment, whenever a new compute data set is published all published algorithms are allowed to run on it by default, which seems unintended. This is because in the background there are some unexpected interpretations of non-existing or empty array value for publisherTrustedAlgorithms.

To make this more clear and explicit, we could have something like allowAllAlgorithms within ServiceComputePrivacy, set to false by default upon data set publish, as suggested in oceanprotocol/market#417 (comment)
@mihaisc
Copy link

mihaisc commented Mar 22, 2021

As far as i know this was intended, empty publisherTrustedAlgorithms means all algorithms are allowed. But now that i think about it this is conceptually wrong. Everything should not be allowed until the publisher expresses its wishes

@alexcos20 alexcos20 transferred this issue from oceanprotocol/ocean.js Mar 22, 2021
@alexcos20
Copy link
Member

alexcos20 commented Mar 22, 2021
edited

ComputePrivacy is going to look like this:

export interface publisherTrustedAlgorithm {
  did: string
  filesChecksum: string
  containerSectionChecksum: string
}

export interface ServiceComputePrivacy {
  allowRawAlgorithm: boolean
  allowNetworkAccess: boolean
  allowAllPublishedAlgorithms: boolean
  publisherTrustedAlgorithms?: publisherTrustedAlgorithm[]
}

where:
allowRawAlgorithm: boolean - if you can start a compute job with a raw algorithm (drag&drop)
allowNetworkAccess: boolean - if algo pod has network access during compute (not implemented yet in C2D)
allowAllPublishedAlgorithms: boolean - if you can start a compute job with any published algorithm
publisherTrustedAlgorithms - specific list of algos approved by the publisher. If this list is empty -> there are no trusted algos by the publisher.

Having allowRawAlgorithm == false && allowAllPublishedAlgorithms == false -> only trusted algos can be started.
If publisherTrustedAlgorithms is also empty -> you cannot run any jobs on that dataset

Default values on publishing:

  • allowRawAlgorithm: false
  • allowNetworkAccess: false
  • allowAllPublishedAlgorithms: false
  • publisherTrustedAlgorithms : []

@mihaisc
Copy link

mihaisc commented Mar 22, 2021

allowNetworkAccess: boolean - if algo pod has network access during compute (not implemented yet in C2D)

if the pod has no network access how does it fetch the data?

@alexcos20
Copy link
Member

data is fetched by pod-configuration, before algo pod is created.
Algos are using data from an already mounted volume, under /data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Epic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kremalicious @alexcos20 @mihaisc