Ticket #854 (closed issue: fixed)
[S] Logging is basic
| Reported by: | selatham | Owned by: | pjkersha |
|---|---|---|---|
| Priority: | required | Milestone: | Reporting |
| Component: | security | Version: | |
| Keywords: | logging | Cc: | pmiller |
Description (last modified by selatham) (diff)
Basic logging is done, but there's no set way of accessing the logs. Also note https required. Python wsgi logging module of use here? Also note https required. Maybe get done as part of OMII work.
Change History
comment:1 Changed 12 years ago by selatham
- Component changed from T01_Discovery to T12_Security
- Description modified (diff)
comment:2 Changed 12 years ago by pmiller
- Cc pmiller added
PML requirements for logging
We would like NDG to extend usage of our existing EO data, but to ensure the future funding of our NEODAAS service we need output measures, ie annual data usage statistics. It would be nice if we can break these down, by role, user institution, etc. At least initially this is more important to us than security, so we could start with catchall roles with broad access permissions and then monitor usage.
So for this we need very simple but complete logging of data access: date+time, user id, role used, data granule id. We need to be able to access these logs on demand (via web access?) or on request. Old logs must be preserved and dated, not reset whenever a program is restarted. I understand that some of this functionality may be provided in the Pylon logging module.
comment:3 Changed 12 years ago by selatham
- Priority changed from desirable to required
Can we do this as part of OMII? Is it part of NERC Portals?. Or is it necessary by end-of-Dec?
comment:4 Changed 12 years ago by pjkersha
- Status changed from new to assigned
I did some work recently to complete logging for security services. There's extensive info reported back by the Session Manager (session management and user authentication), Attribute Authority (allocation of Attribute Certificates) and Gatekeeper (access requests status). e.g. From the current glue log for discovery:
INFO:ows_server.models.ndgSecurity:Gatekeeper: access granted for user "/CN=lawrence/CN=proxy/O=NDG/OU=BADC" to "<Element {http://ndg.nerc.ac.uk/csml}dgSecurityCondition at -49816054>" with attribute certificate:
... <<<content of attribute certificate>>> ...
From Peter's list:
- date+time: it should be possible to add this with a config param to the Paster log
- user id: done
- role used: I can easily add this in
- data granule id: I don't know how to get this and will ask Bryan
comment:5 Changed 12 years ago by pjkersha
data granule ID now included. Sample log message:
Gatekeeper: access granted for user "/CN=lawrence/CN=proxy/O=NDG/OU=BADC" to "badc.nerc.ac.uk__NDG-A0__OAJkJNQV" secured with role "coapec" using attribute certificate: <?xml version="1.0" encoding="utf-8"?> <attributeCertificate...
