Bug 5714 - GRAM Auditing: additional data in audit records
: GRAM Auditing: additional data in audit records
Status: RESOLVED WONTFIX
: GRAM
general
: 4.0.5
: Open Science Grid (OSG) Linux
: P2 major
: 4.0.7
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2007-12-10 13:48 by
Modified: 2012-09-12 09:59 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-12-10 13:48:57
For the OSG Accounting system Gratia, there is one additional data item
that is needed in the GRAM audit record that allows for the complete
identification of the individual using a grid resource.

The log currently captures this data related to the identity of the user:
 - subject_name (DN of the User)
 - username (local UNIX id)

In addition, the Gratia accounting system also needs to identify the VO,
VO groups and Role a grid user is accessing the resources as.  While this
information is not available on a standard grid proxy, it is available on VOMS
generated proxies as extended attributes in the form of an FQAN (Fully
Qualified Attribute Name).  

We had some preliminary discussions many months back regarding this.
Since we use a callout (PRIMA) to handle the authorization request, this
callout
(for both ws and pre-ws) handles the reading of the extended attributes in 
the proxy, if available.  At that time, we were asking for the capability to 
pass that data (FQAN) back, in addition to the username, so that it could be
available in the GRAM audit.  We would like to pursue this approach further.

Alternatively, can GRAM read the proxy certificate for the extended attributes
and make that data available in the audit record.  From my perspective, which
may be somewhat slanted, it is the DN/FQAN that fully identifies the grid
user.

John Weigand
------- Comment #1 From 2012-09-12 09:59:50 -------
We've migrated our issue tracking software to jira.globus.org. Any new issues
should be added here:

http://jira.globus.org/secure/VersionBoard.jspa?selectedProjectId=10363

As this issue hasn't been commented on in several years, we're closing it. If
you feel it is still relevant, please add it to jira.