Ticket #854 (closed issue: fixed)

Opened 12 years ago

Last modified 12 years ago

[S] Logging is basic

Reported by: selatham Owned by: pjkersha
Priority: required Milestone: Reporting
Component: security Version:
Keywords: logging Cc: pmiller

Description (last modified by selatham) (diff)

Basic logging is done, but there's no set way of accessing the logs. Also note https required. Python wsgi logging module of use here? Also note https required. Maybe get done as part of OMII work.

Change History

comment:1 Changed 12 years ago by selatham

  • Component changed from T01_Discovery to T12_Security
  • Description modified (diff)

comment:2 Changed 12 years ago by pmiller

  • Cc pmiller added

PML requirements for logging

We would like NDG to extend usage of our existing EO data, but to ensure the future funding of our NEODAAS service we need output measures, ie annual data usage statistics. It would be nice if we can break these down, by role, user institution, etc. At least initially this is more important to us than security, so we could start with catchall roles with broad access permissions and then monitor usage.

So for this we need very simple but complete logging of data access: date+time, user id, role used, data granule id. We need to be able to access these logs on demand (via web access?) or on request. Old logs must be preserved and dated, not reset whenever a program is restarted. I understand that some of this functionality may be provided in the Pylon logging module.

comment:3 Changed 12 years ago by selatham

  • Priority changed from desirable to required

Can we do this as part of OMII? Is it part of NERC Portals?. Or is it necessary by end-of-Dec?

comment:4 Changed 12 years ago by pjkersha

  • Status changed from new to assigned

I did some work recently to complete logging for security services. There's extensive info reported back by the Session Manager (session management and user authentication), Attribute Authority (allocation of Attribute Certificates) and Gatekeeper (access requests status). e.g. From the current glue log for discovery:

INFO:ows_server.models.ndgSecurity:Gatekeeper: access granted for user "/CN=lawrence/CN=proxy/O=NDG/OU=BADC" to "<Element {http://ndg.nerc.ac.uk/csml}dgSecurityCondition at -49816054>" with attribute certificate:
... <<<content of attribute certificate>>> ...

From Peter's list:

  • date+time: it should be possible to add this with a config param to the Paster log
  • user id: done
  • role used: I can easily add this in
  • data granule id: I don't know how to get this and will ask Bryan

comment:5 Changed 12 years ago by pjkersha

data granule ID now included. Sample log message:

Gatekeeper: access granted for user "/CN=lawrence/CN=proxy/O=NDG/OU=BADC" to "badc.nerc.ac.uk__NDG-A0__OAJkJNQV" secured with role "coapec" using attribute certificate:

<?xml version="1.0" encoding="utf-8"?>
<attributeCertificate...

See  http://proj.badc.rl.ac.uk/ndg/changeset/3018

comment:6 Changed 12 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed

comment:7 Changed 12 years ago by pmiller

That's great Phil, just what me and Helen are looking for. I assume it will include the date and time in the log when running for real?

Note: See TracTickets for help on using tickets.