Information Technology Reference
In-Depth Information
to consider limiting, or overriding some of the
attributes being published.
Another consideration is the public nature
of this information, once it has been sent to the
CEMon Consumers. Given that this information
is only useful to actual users of the grid, it might
be useful to provide some minimal restrictions so
that the information is only accessible to current
members of the OSG (or collaborating grids).
Given that this information can be accessed
through a public SQL interface, all user activity
on the OSG can be traced and analyzed in fairly
sophisticated ways, by anyone with a web browser.
User account and DN information could be used
by an attacker that has compromised an account
on one site to query a list of sites with the same
user account/DN, thus increasing the scope of the
attack. It is not being suggested that masking this
information will protect a site from a compromised
account on another system. Certainly, once an ac-
count has been compromised, any other site that
uses a common set of login credentials should
be considered vulnerable. However, making this
information less accessible to an attacker could
mitigate the scope of the attack.
Job file or application names would be less
useful to attackers, but could reveal information
about the nature of the jobs being run. There is
the potential for a rival project to gain valuable
clues about the research being done from this
information. A researcher may want to restrict
this information to a limited set of people. On the
other hand, from an accounting standpoint, the
underlying file descriptions may not be as inter-
esting as the actual resource consumption being
measured. In most cases, the accounting software
only needs to be able to uniquely identify a job,
and doesn't care about the specifics of underlying
job or application names.
For these reasons, it is recommended that ac-
cess to this data be restricted along user and VO
lines using grid certificates as the mechanism
for controlling this. Sites can also mask sensitive
information by modifying the probe software to
apply filters to the records.
Accounting
The Gratia software provides the accounting
framework for the OSG (Canal, Constanta,
Green & Mack, 2007). Gratia consists of two
components:
1. The Gratia probes that run on the site re-
source and interface with the site-specific
accounting and batch systems. These probes
extract resource usage information from the
underlying infrastructure and convert it into
a common Usage Record-XML (Global Grid
Forum, 2003) based format. This is then sent
to a central collector.
2. The Gratia collector is a central server oper-
ated by the OSG GOC that gathers informa-
tion from the various probes, and internally
stores this in a relational database. It makes
this information publicly available through a
web interface, in certain pre-defined views.
The web interface also allows viewers to
create their own reports and custom SQL
queries against the usage data.
The Gratia records include information that
might be considered sensitive by both the sites
and the grid users. Specifically, we identified the
following information as potentially sensitive:
Logging
The OSG uses Syslog-ng (“Syslog-ng Logging
System,”) to provide centralized logging of user
activity on the Grid. Syslog-ng is an extension to
the Syslog protocol that provides more flexible
•
User account names
•
User DN information
•
Job file and application binary names
Search WWH ::
Custom Search