Table of Contents
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
This feature is only available beginning with version 4.0.5 of the Globus Toolkit. |
Pre-WS GRAM includes mechanisms to provide access to audit and accounting information associated with jobs that Pre-WS GRAM submits to a local resource manager (LRM) such as PBS, LSF, or Condor.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
Remember, GRAM is not a local resource manager but rather a protocol engine for communicating with a range of different local resource managers using a standard message format. |
In some scenarios, it is desirable to get general information about the usage of the underlying LRM, such as:
What kinds of jobs were submitted via GRAM?
How long did the processing of a job take?
How many jobs were submitted by user X?
The following three use cases give a better overview of the meaning and purpose of auditing and accounting:
Group Access. A grid resource provider allows a remote service (e.g., a gateway or portal) to submit jobs on behalf of multiple users. The grid resource provider only obtains information about the identity of the remote submitting service and thus does not know the identity of the users for which the grid jobs are submitted. This group access is allowed under the condition that the remote service stores audit information so that, if and when needed, the grid resource provider can request and obtain information to track a specific job back to an individual user.
Query Job Accounting. A client that submits a job needs to be able to obtain, after the job has completed, information about the resources consumed by that job. In portal and gateway environments where many users submit many jobs against a single allocation, this per-job accounting information is needed soon after the job completes so that client-side accounting can be updated. Accounting information is sensitive and thus should only be released to authorized parties.
Auditing. In a distributed multi-site environment, it can be necessary to investigate various forms of suspected intrusion and abuse. In such cases, we may need to access an audit trail of the actions performed by a service. When accessing this audit trail, it will frequently be important to be able to relate specific actions to the user.
The audit record of a job is stored at the end of the processing cycle of a job - either when it is completely processed or failed.
While audit and accounting records may be generated and stored by different entities in different contexts, we make the following assumptions in this chapter:
| Audit Records | Accounting Records | |
|---|---|---|
| Generated by: | GRAM service | LRM to which the GRAM service submits jobs |
| Stored in: | Database, indexed by GJID | LRM, indexed by JID |
| Data that is stored: | See list below. | May include all information about the duration and resource-usage of a job |
The audit record of each job contains the following data:
job_grid_id: String representation of the resource EPR
local_job_id: Job/process id generated by the scheduler
subject_name: Distinguished name (DN) of the user
username: Local username
idempotence_id: Job id generated on the client-side
creation_time: Date when the job resource is created
queued_time: Date when the job is submitted to the scheduler
stage_in_grid_id: String representation of the stageIn-EPR (RFT)
stage_out_grid_id: String representation of the stageOut-EPR (RFT)
clean_up_grid_id: String representation of the cleanUp-EPR (RFT)
globus_toolkit_version: Version of the server-side GT
resource_manager_type: Type of the resource manager (Fork, Condor, ...)
job_description: Complete job description document
success_flag: Flag that shows whether the job failed or finished successfully
finished_flag: Flag that shows whether the job is already fully processed or still in progress
The Pre-WS GRAM service returns a "job contact" that is used to control the job. The job contact, by default, is already in an acceptable GJID format; therefore, the Pre-WS GRAM client and service do not need to convert it in any way.
To connect the two sets of records, both audit and accounting, we require that GRAM records the JID in each audit record that it generates. It is then straightforward for an audit service to respond to requests such as "Give me the charge of the job with JID x" by:
first selecting matching record(s) from the audit table,
then using the local JID(s) to join to the accounting table of the LRM and access relevant accounting record(s).
We propose a Web Service interface for accessing audit and accounting information. OGSA-DAI is a WSRF service that can create a single virtual database from two or more remote databases. In the future, other per-job information such as job performance data could be stored using the GJID or local JID as an index, and then made available in the same virtual database.
The rest of this chapter focuses on how to configure Pre-WS GRAM to enable Audit Logging. A case study for TeraGrid can be read here, which also includes more information about how to use this data to get accounting information of a job, query the audit database for information via a Web Services interface, etc.
Audit logging in Pre-WS GRAM is realized in the following way:
The job manager writes a file to disk for each job. This file contains the audit record. The format of an audit record file that is logged to the database is a comma-separated list of double-quoted strings.
The audit records are not inserted into the GRAM audit database directly. The job manager will, at final job termination (FAILED or DONE state), write a record to a unique file in a directory specified by a configuration file. These audit files must be uploaded by a program which can be called manually or be run periodically as a cron job. The program is a perl script and is located in
${GLOBUS_LOCATION}/libexec/globus-gram-auditand creates audit records in the configured database from the user audit files. Once the record is uploaded, the program will remove the audit file.
Here's an example on how a crontab entry must look like in order to run the script every 15 minutes:
0,15,30,45 * * * * ${GLOBUS_LOCATION}/libexec/globus-gram-auditThe script gets the necessary parameters to connect to the database from the configuration file
${GLOBUS_LOCATION}/etc/globus-job-manager-audit.conf, which is described below.
You may notice that this method is different than that used for WS GRAM. WS GRAM writes audit records directly to the audit database. This is done because only a single account (the container account) may be given access to the DB. The container account is already trusted, so this is reasonable for WS GRAM.
In Pre-WS GRAM, the Job Manager process writes the audit records. However, this process runs under the user's account; opening up access to the audit database for each user is not acceptable.
Therefore, the Job Manager writes the audit record to a file. Then a single database upload program, running under the same WS GRAM container account (e.g. globus), can first verify that the owner of the Pre-WS GRAM audit file and the username field in the audit record match. This prevents users from interfering with other users' audit records.
Audit logging is turned off by default. To turn on Audit Logging, follow these steps:
Add the following line to $GLOBUS_LOCATION/etc/globus-job-manager.conf:
-audit-directory <your desired audit record directory>
Create the audit record directory specified in the above configuration file with the following permissions:
rws-wsrwx
Edit $GLOBUS_LOCATION/etc/globus-job-manager-audit.conf to include the correct database connection parameters. For example::
DRIVERCLASS:com.mysql.jdbc.Driver USERNAME:john PASSWORD:foo URL:jdbc:mysql://myhost/auditDatabase
Audit records are stored in a database which must be set up once. Currently we provide schemas for
MySQL (
$GLOBUS_LOCATION/share/gram-service/gram_audit_schema_mysql.sql)Postgres (
$GLOBUS_LOCATION/share/gram-service/gram_audit_schema_postgres-8.0.sql)
The following describes how to set up the database for audit records in MySQL:
Create a database inside of MySQL
Grant necessary privileges to the account that will be used to upload the audit records in the audit. Typically the "globus" account.
Use the schema to create the table
host:~ feller$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.0.37 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database auditDatabase;
Query OK, 1 row affected (0.09 sec)
mysql> GRANT ALL ON auditDatabase.* to globus@localhost identified by "foo";
Query OK, 0 rows affected (0.32 sec)
mysql> exit
Bye
host:~ feller$ mysql -u globus -p auditDatabase < ${GLOBUS_LOCATION}/share/gram-service/gram_audit_schema_mysql.sql
Enter password:
host:~ feller$The following describes how to set up the database for audit records in PostgreSQL:
Create a database inside of PostgreSQL
Grant necessary privileges to the account that will be used to upload the audit records into the audit database. For simplicity we use the same "globus" account.
Use the schema to create the table
# Connect as postgres admin create database auditDatabase\g create user globus with encrypted password '<password1>'\g \c auditDatabase \i gram_audit_schema_postgres-8.0.sql grant insert on gram_audit_table to globus\g grant update on gram_audit_table to globus\g \q
You must also update pg_hba.conf to allow connections from container host (pg_hba.conf configures client authentication and is stored in the database cluster's data directory):
hostssl auditDatabase globus <containerhostip> 255.255.255.255 md5 host auditDatabase globus <containerhostip> 255.255.255.255 md5
In an installation of Gram2 a log4j configuration file is written to
$GLOBUS_LOCATION/share/globus_gram_job_manager_auditing/log4j.properties
which is used when you upload the records into the database using
${GLOBUS_LOCATION}/libexec/globus-gram-audit.
If audit logging does not work, please check for the existence of this file and
verify that the content is
log4j.rootCategory=ERROR, A1
# A1 is set to be a ConsoleAppender.
log4j.appender.A1=org.apache.log4j.ConsoleAppender
# A1 uses PatternLayout.
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} [%t,%M:%L] %m%n
# Display any warnings generated by our code
log4j.category.org.globus=WARN
# AUDIT
log4j.appender.AUDIT=org.globus.exec.utils.audit.AuditDatabaseAppender
log4j.appender.AUDIT.layout=org.apache.log4j.PatternLayout
log4j.category.org.globus.exec.utils.audit.AuditDatabaseAppender.audit=DEBUG, AUDIT
log4j.additivity.org.globus.exec.utils.audit.AuditDatabaseAppender.audit=false