Bugzilla – Bug 5714
GRAM Auditing: additional data in audit records
Last modified: 2012-09-12 09:59:50
You need to
before you can comment on or make changes to this bug.
For the OSG Accounting system Gratia, there is one additional data item
that is needed in the GRAM audit record that allows for the complete
identification of the individual using a grid resource.
The log currently captures this data related to the identity of the user:
- subject_name (DN of the User)
- username (local UNIX id)
In addition, the Gratia accounting system also needs to identify the VO,
VO groups and Role a grid user is accessing the resources as. While this
information is not available on a standard grid proxy, it is available on VOMS
generated proxies as extended attributes in the form of an FQAN (Fully
Qualified Attribute Name).
We had some preliminary discussions many months back regarding this.
Since we use a callout (PRIMA) to handle the authorization request, this
(for both ws and pre-ws) handles the reading of the extended attributes in
the proxy, if available. At that time, we were asking for the capability to
pass that data (FQAN) back, in addition to the username, so that it could be
available in the GRAM audit. We would like to pursue this approach further.
Alternatively, can GRAM read the proxy certificate for the extended attributes
and make that data available in the audit record. From my perspective, which
may be somewhat slanted, it is the DN/FQAN that fully identifies the grid
We've migrated our issue tracking software to jira.globus.org. Any new issues
should be added here:
As this issue hasn't been commented on in several years, we're closing it. If
you feel it is still relevant, please add it to jira.