Accounting Data Handling Toolbox For Opportunistic Resources

Star Fork
Explore More ⇩


Auditor stands for Accounting Data Handling Toolbox For Opportunistic Resources. Auditor ingests accounting data provided by so-called collectors, stores it and provides it to the outside to so-called plugins.

It comes with a well-defined REST API which allows for the implementation of application-specific collectors and plugins. This makes it well suited for a wide range of use cases.

Overview of the AUDITOR ecosystem. AUDITOR accepts records from collectors, stores them in a PostgreSQL database and offers these records to plugins which take an action based on the records.

Running Auditor

Auditor can be run by compiling the source from the repository or by running a pre-built docker container. Both methods require that the PostgreSQL database is installed and migrated beforehand.

Setting up the PostgreSQL database

Using Docker

You can use Docker to start a PostgreSQL database:


docker run -d --name postgresql_auditor \
    -e "POSTGRES_DB=${DB_NAME}"\
    -p "${DB_PORT}:5432" \


Alternatively, you can install PostgreSQL directly using your system's package manager and configure the database and user manually. For the next steps you will need the database user and password, database name, host and port.

Migrating the database

Using Docker

You can run the database migration using the Auditor Docker container. The connection details for the database can be set using the AUDITOR_DATABASE__* environment variables, that are explained in the next section.

If you run the PostgreSQL database as a Docker container, execute the following command.

docker run \
  -e "AUDITOR_DATABASE__HOST=host.docker.internal" \
  --add-host=host.docker.internal:host-gateway \
  auditor:<version> migrate

If the PostgreSQL database is not running in a Docker container, run

docker run \
  auditor:<version> migrate

Replace the DB_* variables with your corresponding values.


Migrating the database manually requires cloning the Auditor repository and installing cargo and sqlx. A prerequisite is a working Rust setup, which can be installed either via your distributions package manager or via the following command:

curl --proto '=https' --tlsv1.2 -sSf | sh

Now sqlx can be installed via cargo:

cargo install --version=0.8.3 sqlx-cli --no-default-features --features postgres,rustls,sqlite

Clone the repository and cd into the directory.

git clone

To migrate the database, run the following from the root directory of the repo:

# Adapt thesee variables to your setup

sqlx database create
sqlx migrate run

Using Docker

The easiest way to run Auditor is via a Docker container from Docker Hub or Github Container Registry. Auditor requires a properly configured PostgreSQL database. After installing PostgreSQL, the database needs to be migrated with sqlx.

AUDITORs configuration can be adapted with environment variables.

AUDITOR_APPLICATION__ADDRAddress to bind to (default
AUDITOR_APPLICATION__PORTPort to bind to (default 8000)
AUDITOR_DATABASE__HOSTHost address of PostgreSQL database (default localhost)
AUDITOR_DATABASE__PORTPort of PostgreSQL database (default 5432)
AUDITOR_DATABASE__USERNAMEPostgreSQL database username (default postgres)
AUDITOR_DATABASE__PASSWORDPostgreSQL database password (default password)
AUDITOR_DATABASE__DATABASE_NAMEName of the PostgreSQL database (default auditor)
AUDITOR_DATABASE__REQUIRE_SSLWhether or not to use SSL (default true)
AUDITOR_LOG_LEVELSet the verbosity of logging. Possible values: trace, debug, info, warn, error (default info)

Use docker run to execute Auditor:

docker run aluschumacher/auditor:<version>

The configuration parameters can be set by passing environment variables via -e:

docker run -e AUDITOR_APPLICATION__ADDR=localhost -e AUDITOR_DATABASE__REQUIRE_SSL=false aluschumacher/auditor:<version>

We offer versioned tags (starting from 0.2.0) or the edge tag, which corresponds to the latest commit on the main branch.

Configuration files

Besides environment variables, a YAML configuration file can be used:

Without TLS

  port: 8000
  host: "localhost"
  port: 5432
  username: "postgres"
  password: "password"
  database_name: "auditor"
  require_ssl: false
    frequency: 30
      - RecordCount
      - RecordCountPerSite
      - RecordCountPerGroup
      - RecordCountPerUser
log_level: info
  use_tls: false

To enable the TLS for the above config, you can set the tls_config to true and add the cert paths as shown below.

  use_tls: true
  ca_cert_path: "/path/rootCA.pem"
  server_cert_path: "/path/server-cert.pem"
  server_key_path: "/path/server-key.pem"
  https_addr: ""
  https_port: 8005

This configuration file can be passed to Auditor and will overwrite the default configuration.

If you have compiled Auditor from source, pass the configuration file as first argument (i.e. cargo run <path-to-config> or ./auditor <path-to-config>)

If you run Auditor using Docker, then you first need to mount the configuration file inside the container, before you can use it. Furthermore, you need to call the Docker container with the auditor command as first argument and the path to the config file (location inside the container) as second argument.

docker run -v <absolute-path-to-config>:/auditor/config.yaml aluschumacher/auditor:<version> auditor /auditor/config.yaml

However, you should default to using environment variables for configuration when running Auditor using Docker.

Metrics exporter for Prometheus

Metrics for Prometheus are exposed via the /metrics endpoint. By default HTTP metrics are exported. In addition, database metrics are exported as well (optional). These include the current number of records in the database, as a well as the number of records per site, group and user. Database metrics export can be configured in the configuration:

    # How often these values are computed (default: every 30 seconds)
    frequency: 30
    # Type of metrics to export (default: None)
      - RecordCount
      - RecordCountPerSite
      - RecordCountPerGroup
      - RecordCountPerUser

How often the database metrics are computed is defined by the frequency configuration variable. Note that computing the database metrics is a potentially expensive operation. Therefore it is advised to monitor the performance of Auditor when working with databases with a large number of records. The frequency setting should be somewhat in accordance with the Prometheus scraping interval.

Compiling from source

Alternatively, Auditor can be compiled and run directly. Instructions for compiling Auditor from source can be found in the development documentation.


RPMs are provided for each release on the Github release page.


Collectors are used to collect data from various sources. See below for all currently available collectors.

SLURM Collector

The Slurm collector collects information from slurm jobs based on the sacct command. It can be installed from the provided RPM or can be built with this command:

RUSTFLAGS='-C link-arg=-s' cargo build --release --target x86_64-unknown-linux-musl --bin auditor-slurm-collector

The resulting binary can be found in target/x86_64-unknown-linux-musl/release/auditor-slurm-collector and should be placed on the Slurm head node.

Run the Slurm collector with

/absolute/path/to/auditor-slurm-collector /absolute/path/to/auditor-slurm-collector-config.yml

Ideally, you should run the Slurm collector as a service, e.g. by using a systemd unit file.


Description=Auditor Slurm collector

User=<service user>
ExecStart=/absolute/path/to/auditor-slurm-collector /absolute/path/to/auditor-slurm-collector-config.yml



The Slurm collector is configured using a yaml-file. Configuration parameters are as follows:

addrHost name or IP address of the Auditor instance.
portPort of the Auditor instance.
record_prefixPrefix for the record identifier. The full record identifier is then <record_prefix>-<slurm-job-id>.
job_filterFilter jobs based on certain properties. See the Job filter section below.
sacct_frequencyFrequency of executing the sacct command (in seconds). Resulting records are first placed in a queue (based on a SQLite database) and later sent to the Auditor instance.
sender_frequencyFrequency of sending new records from the sending queue to the Auditor instance.
earliest_datetimeAfter starting the collector for the first time, only query jobs that started later than earliest_datetime. Has to follow the ISO 8601 standard
database_pathPath to the SQLite database that is used for the sending queue.
sitesA list of potential sites that can be associated with a job. Each site has to have a name field. A site can be matched to a job based on the contents of a field in the job information using the only_if field. The only_if field needs to have a key, that corresponds to a field in the sacct output, and a matches field, used to match a certain value. Regular expressions are supported.
metaA list of meta objects that are added to the record. Each meta object needs to have a name that is used as the name of the meta object, and a key, that corresponds to a field in the job information. The type of the data can be specified with key_type. Possible values are Integer (default), IntegerMega (integer with a M behind the number), Time, String, DateTime, Id, Json. Per default, empty values are not allowed. This can be changed by setting key_allow_empty to true. Alternatively, a default value can be specified with default_value. Setting meta information can optionally be limited to a subset of records using the only_if syntax, as described above .
componentsA list of components that is added to the record. A component needs to have a name, key, and key_type, similar to the meta configuration. One or multiple scores can be added to a component with the scores option. Each score config needs to have a name and a value. Setting scores can optionally be limited to a subset of records using the only_if syntax, as described above.
log_levelSet the verbosity of logging. Possible values: trace, debug, info, warn, error (default info).
use_tlsSpecifies whether TLS is enabled (true) or disabled (false).
ca_cert_pathPath to the root Certificate Authority (CA) certificate for validating certificates. Example: /path/rootCA.pem.
client_cert_pathPath to the client's TLS certificate, used for mutual TLS (mTLS) authentication. Example: /path/client-cert.pem.
client_key_pathPath to the client's private key used for TLS. Example: /path/client-key.pem.

Job filter

Job filters can be used to filter the slurm jobs when calling the sacct command. The following filters are supported:

statusA list of acceptable job states. See SLURM JOB STATE CODES for a list of allowed values. Per default jobs with the completed state are queried.
partitionA list of partition names. Per default no filter is applied.
userA list of users. Per default no filter is applied.
groupA list of groups. Per default no filter is applied.
accountA list of accounts. Per default no filter is applied.

Example configuration

without TLS

addr: "auditor_host_addr"
port: 8000
record_prefix: "slurm"
    - "completed"
    - "failed"
sacct_frequency: 300
sender_frequency: 60
earliest_datetime: "2023-09-15T12:00:00+00:00"
database_path: "/absolute/path/to/db.db"
  - name: "mysite1"
      key: "Partition"
      matches: "^mypartition$"
  - name: "mysite2"
  - name: Comment
    key: "Comment"
    key_type: Json
    key_allow_empty: true
  - name: "Cores"
    key: "NCPUS"
      - name: "HEPSPEC06"
        value: 10.0
      - name: "hepscore23"
        value: 10.0
  - name: "SystemCPU"
    key: "SystemCPU"
    key_type: Time
  - name: "UserCPU"
    key: "UserCPU"
    key_type: Time
  - name: "TotalCPU"
    key: "TotalCPU"
    key_type: Time
  - name: "Memory"
    key: "ReqMem"
    key_type: IntegerMega
  - name: "MaxRSS"
    key: "MaxRSS"
    default_value: 0
  - name: "NNodes"
    key: "NNodes"
log_level: info
  use_tls: false

To enable the TLS for the above config, you can set the tls_config to true and add the cert paths as shown below.

  use_tls: true
  ca_cert_path: "/path/rootCA.pem"
  client_cert_path: "/path/client-cert.pem"
  client_key_path: "/path/client-key.pem"

SLURM Epilog Collector

The Slurm epilog collector can installed from the provided RPM or can be built with this command:

RUSTFLAGS='-C link-arg=-s' cargo build --release --target x86_64-unknown-linux-musl --bin auditor-slurm-epilog-collector

The resulting binary can be found in target/x86_64-unknown-linux-musl/release/auditor-slurm-epilog-collector and is ideally placed on the Slurm head node.

Add this to your epilog shell script (on the slurm head node):


# Divert stdout and sterr. Make sure the slurm user has write access to both locations.
# Ideally there is also log rotation in place for those logs.
exec >> /epilog_logs/epilog.log
exec 2>> /epilog_logs/epilog.log

/absolute/path/to/auditor-slurm-epilog-collector /absolute/path/to/auditor-slurm-epilog-collector-config.yaml

This will read the $SLURM_JOB_ID environment variable, which is only available in the context of a SLURM epilog script.

Internally, scontrol is called to obtain the necessary information of the job.

If not all jobs are of relevance, filtering should be done in the epilog script such that the collector is only executed for relevant jobs. This avoids unnecessary and potentially expensive calls to scontrol. Slurm provides a number of environment variables in the context of an epilog script which are listed in the Slurm documentation.



# Only execute collector for jobs running on `some_partition`
if [ "$SLURM_JOB_PARTITION" == "some_partition" ]; then
	exec >> $LOG_FILE
	exec 2>> $LOG_FILE

	/absolute/path/to/auditor-slurm-epilog-collector /absolute/path/to/auditor-slurm-epilog-collector-config.yaml

Example configurations

The following configuration shows how to set the Auditor host address and port. The record_prefix will be used to prefix the Slurm job id in the record identifier (in this case it will be slurm-JOBID). The site_name is the site_id which will be attached to the meta field of every record. components defines how to extract accountable information from the call to scontrol and attaches scores to it. In the context of components, name indicates how this component will be identified in the final record and key indicates the key which is to be extracted from the scontrol output. scores are optional. The verbosity of logging can be set with the log_level option. Possible values are trace, debug, info (default), warn, and error.

addr: "auditor_host_addr"
port: 8000
record_prefix: "slurm"
site_id: "site_name"
  - name: "Cores"
    key: "NumCPUs"
      - name: "HEPSPEC"
        value: 1.0
  - name: "Memory"
    key: "Mem"
log_level: info
  use_tls: false

Extraction of components as well as adding of scores can be done conditionally, as shown in the following example configuration. The matching is performed on values associated with certain keys in the scontrol output. Regex is accepted.

addr: "auditor_host_address"
port: 8000
record_prefix: "slurm"
site_id: "site_name"
  - name: "Cores"
    key: "NumCPUs"
      # If it the job is running on partition `part1`, then use HEPSPEC value 1.1
      - name: "HEPSPEC"
        value: 1.1
          key: "Partition"
          matches: "^part1$"
      # If it the job is running on partition `part2`, then use HEPSPEC value 1.2
      - name: "HEPSPEC"
        value: 1.2
          key: "Partition"
          matches: "^part2$"
  - name: "Memory"
    key: "Mem"
      key: "Partition"
      matches: "^part2$"
  use_tls: false

To enable the TLS for both the above configs, you can set the tls_config to true and add the cert paths as shown below.

  use_tls: true
  ca_cert_path: "/path/rootCA.pem"
  client_cert_path: "/path/client-cert.pem"
  client_key_path: "/path/client-key.pem"

HTCondor Collector

The collector relies on condor_history to retrieve the information about the jobs. The collector runs periodically, creating records and committing them to the AUDITOR-instance using pyauditor.

The collector is run as follows:

python -m collectors.htcondor -c CONFIG_FILE

-c/--config CONFIG_FILE is required to be set and of the form as stated below. Further, optional arguments are

-h, --help            show this help message and exit
                      Path to config file.
                      ID of the job, condor_history to invoke with.
-n SCHEDD, --schedd-names SCHEDD
                      Name of the schedd, condor_history to invoke with.
                      Log level. Defaults to INFO.
-f LOG_FILE, --log-file LOG_FILE
                      Log file. Defaults to stdout.
-i INTERVAL, --interval INTERVAL
                      Interval in seconds between queries. Defaults to 900.
-1, --one-shot        Run once and exit.

Command line arguments override the values set in the config file.


The collector is configured using a yaml-file. Configuration parameters are as follows:

state_dbPath to the sqlite-database used for persistent storage of the job ids last processed by the collector.
record_prefixPrefix used for all records put into the AUDITOR-database.
intervalInterval in seconds between runs of the collector.
poolThe -pool argument used for the invocation of condor_history.
schedd_namesList of the schedulers used for the -name argument of the invocation of condor_history.
job_statusList of job statuses considered. See HTCondor magic numbers.
metaMap key/value pairs put in the records meta field. The key is used as the key in the records meta-variables, the values are entrys.
If multiple entrys are given for specified name, the values are appended to a list. A special case is site, which is a list of entrys, but only the first match is used.
componentsList of components (entrys) put in the records components. Each component can contain a list of scores (entrys).
use_tlsSpecifies whether TLS is enabled (true) or disabled (false).
ca_cert_pathPath to the root Certificate Authority (CA) certificate for validating certificates. Example: /path/rootCA.pem.
client_cert_pathPath to the client's TLS certificate, used for mutual TLS (mTLS) authentication. Example: /path/client-cert.pem.
client_key_pathPath to the client's private key used for TLS. Example: /path/client-key.pem.

The following parameters are optional:

addrhttp:// of the AUDITOR-instance. If this is set, port must also be specified.
port8080Port of the AUDITOR-instance. If this is set, addr must also be specified.
timeout30Timeout in seconds for the connection to the AUDITOR-instance.


An entry describes how to get the value for a meta-var or component from the job. Unlike meta-variables, components contain a name-field, which is used as the name of the component. If the entry has a key-field, the value is taken from the corresponding ClassAd. Else, if the entry has a factor-field, this factor is used as the value. Else, if the entry has a name-field, this name is used as the value (this is used for the site-meta-var). Else, the value is not set.

If the entry has a matches-field, the value is matched against the regex given in matches. In case the regex contains a group, the value is set to the (first) matching group, else the name-field is used.

If the entry contains an only_if-field, the value is only returned if the value of the ClassAd in only_if.key matches the regex given in only_if.matches.

See below for an example config and the use of such entrys.

Example config

addr: localhost
port: 8000
timeout: 10
state_db: htcondor_history_state.db
record_prefix: htcondor
interval: 900 # 15 minutes
job_status: # See
  - 3 # Removed
  - 4 # Completed

    key: Owner
    matches: ^(.+)$
    key: VoName
    matches: ^(.+)$
    key: "GlobalJobId"
    matches: ^(.*)#\d+.\d+#\d+$  # As this regex contains a group, the value for 'submithost' is set to the matching group.

  # For `site` the first match is used.
    - name: "site1"  # This entry
      key: "LastRemoteHost"
      matches: ^slot.+@site1-.+$
    - key: "LastRemoteHost"
      matches: ^slot.+@(site2)-.+$  # This regex contains a group, the value for 'site' is set to the matching group ("site2").
    - name: "UNDEF"  # If no match is found, site is set to "UNDEF"

  - name: "Cores"
    key: "CpusProvisioned"
      - name: "HEPSPEC"
        key: "MachineAttrApelSpecs0"
        matches: HEPSPEC\D+(\d+(\.\d+)?)  # This regex matches the value of HEPSPEC in the corresponding ClassAd
          key: "LastRemoteHost"
          matches: ^slot.+@(?:site1)-.{10}@.+$  # This score is only attributed to the component on site1
      - name: "HEPscore23"
        key: "MachineAttrApelSpecs0"
        matches: HEPscore23\D+(\d+(\.\d+)?)
          key: "LastRemoteHost"
          matches: ^slot.+@(?:site1)-.{10}@.+$
  - name: "Memory"
    key: "MemoryProvisioned"
  - name: "UserCPU"
    key: "RemoteUserCpu"
  use_tls: False

To enable the TLS for both the above configs, you can set the tls_config to true and add the cert paths as shown below.

  use_tls: True
  ca_cert_path: "/path/rootCA.pem"
  client_cert_path: "/path/client-cert.pem"
  client_key_path: "/path/client-key.pem"

Kubernetes Collector

This collector retrieves information from two sources: the Kubernetes API and a Prometheus instance. This is necessary because Kubernetes does not expose resource metrics like CPU time via it's API. This means that the collector needs to be able to access the API as well as Prometheus.

The easiest way to ensure access to the API is by running the collector directly on Kubernetes via the provided Helm Chart. Prometheus needs to be able to access the Kubelets of your cluster. If it is installed on Kubernetes, make sure it has some persistent storage. A small tutorial for an example setup can be found here. The following section explains the configuration of the collector.

The collector can be started manually

./auditor-kubernetes-collector config.yaml

Or it can be installed on Kubernetes via the single Helm Chart

helm install auditor-collector helmcharts/charts/auditor-collector/ -n auditor

or through the parent Chart

helm install auditor helmcharts/ -n auditor


Configuration settings can be provided via a yaml file when run manually or through the Helm Chart. The parameters are as follows:

auditor_addrAddress of AUDITOR instance
auditor_port8000Port of AUDITOR
prometheus_addrAddress of Prometheus
prometheus_portPort of Prometheus
record_prefix""Is prepended to all record IDs
earliest_datetimeNowCollector will ignore all pods finished before this time. Should be ISO 8601. Note that the collector will save the timestamp of the last successful request to Kubernetes and will always choose the later time between this timestamp and earliest_datetime.
auditor_timeout10sTimeout for connecting to AUDITOR
prometheus_timeout60sTimeout for a single Prometheus query
collect_interval60sInterval for collecting pod info from Kubernetes
merge_interval60sInterval for collecting info from Prometheus. This also sets how often records will be sent to AUDITOR.
database_path"."Directory to house the persistent sender queue
job_filterSets which pods to account. See below
backlog_interval300sHow long to wait before retrying to fetch metrics from Prometheus
backlog_maxretries2How often we will retry to fetch metrics from Prometheus for each pod. Will send an incomplete record after this
log_levelINFOLogging level
use_tls'false'Specifies whether TLS is enabled (true) or disabled (false)
ca_cert_pathPath to the root Certificate Authority (CA) certificate for validating certificates. Example: /path/rootCA.pem.
client_cert_pathPath to the client's TLS certificate, used for mutual TLS (mTLS) authentication. Example: /path/client-cert.pem.
client_key_pathPath to the client's private key used for TLS. Example: /path/client-key.pem.

Job filter settings:

namespace["default"]A whitelist of namespaces to consider
labels[]A list of labels. A pod will be accounted if all conditions are true

Example Config

auditor_addr: localhost
auditor_port: 8000
prometheus_addr: localhost
prometheus_port: 31000
record_prefix: "KUBE"
earliest_datetime: "2024-04-18T12:00:00Z"
    - "default"
    - app==test
auditor_timeout: 10
prometheus_timeout: 90
collect_interval: 30
send_interval: 60
backlog_interval: 300
backlog_maxretries: 2
log_level: debug
  use_tls: false

To enable the TLS for both the above configs, you can set the tls_config to true and add the cert paths as shown below.

  use_tls: true
  ca_cert_path: "/path/rootCA.pem"
  client_cert_path: "/path/client-cert.pem"
  client_key_path: "/path/client-key.pem"


Plugins are used to retrieve data from Auditor for further processing. See below for all currently available collectors.

APEL Plugin

The APEL plugin creates messages and sends them to the APEL server. The plugin can either create summary messages for the current month, or individual job messages. Sync messages for the current month are created in both cases.

The plugin is provided as a pip package and as a Docker container from Docker Hub or from the GitHub Container Registry.

Two CLI commands are available after the installation via pip: auditor-apel-publish and auditor-apel-republish.

auditor-apel-publish runs periodically at a given report interval.

usage: auditor-apel-publish [-h] -c CONFIG

  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Path to the config file

auditor-apel-republish runs once and submits a report of jobs between two dates for a given site.

usage: auditor-apel-republish [-h] --begin-date BEGIN_DATE --end-date END_DATE -s SITE -c CONFIG

  -h, --help            show this help message and exit
  --begin-date BEGIN_DATE
                        Begin of republishing (UTC): yyyy-mm-dd hh:mm:ss+00:00, e.g. 2023-11-27 13:31:10+00:00
  --end-date END_DATE   End of republishing (UTC): yyyy-mm-dd hh:mm:ss+00:00, e.g. 2023-11-29 21:10:54+00:00
  -s SITE, --site SITE  Site (GOCDB): UNI-FREIBURG, ...
  -c CONFIG, --config CONFIG
                        Path to the config file

The config file is written in YAML format and has the main sections plugin, site, authentication, auditor, and at least one of summary_fields or individual_job_fields.

Example config:

  log_level: INFO
  time_json_path: /etc/auditor_apel_plugin/time.json
  report_interval: 86400
  message_type: summaries
  publish_since: 2024-01-01 06:00:00+00:00
    SITE_A: ["site_id_1", "site_id_2"]
    SITE_B: ["site_id_3"]

  client_cert: /etc/grid-security/hostcert.pem
  client_key: /etc/grid-security/hostkey.pem
  ca_path: /etc/grid-security/certificates
  verify_ca: True

  port: 3333
  timeout: 60
  site_meta_field: site_id
  use_tls: True
  ca_cert_path: /path/rootCA.pem
  client_cert_path: /path/client-cert.pem
  client_key_path: /path/client-key.pem

    NormalisedWallDuration: !NormalisedWallDurationField
        name: hepscore23
        component_name: Cores
    CpuDuration: !ComponentField
      name: TotalCPU
      divide_by: 1000
    NormalisedCpuDuration: !NormalisedField
      base_value: !ComponentField
        name: TotalCPU
        divide_by: 1000
        name: hepscore23
        component_name: Cores
    GlobalUserName: !MetaField
      name: subject
    VO: !MetaField
      name: user
        name: vo_mapping
          atlpr: atlas
          atlsg: ops
          ops: ops
    VOGroup: !MetaField
      name: voms
      regex: (?=%2F).*?\S(?=%2F)
    VORole: !MetaField
      name: voms
      regex: (?=Role).*
    SubmitHost: !MetaField
      name: headnode
    Infrastructure: !ConstantField
      value: grid
    NodeCount: !ComponentField
      name: NNodes
    Processors: !ComponentField
      name: Cores

    CpuDuration: !ComponentField
      name: TotalCPU
      divide_by: 1000

    GlobalUserName: !MetaField
      name: subject
    VO: !MetaField
      name: voms
      regex: (?<=%2F).*?\S(?=%2F)
    VOGroup: !MetaField
      name: voms
      regex: (?=%2F).*?\S(?=%2F)
    VORole: !MetaField
      name: voms
      regex: (?=Role).*
    SubmitHost: !MetaField
      name: headnode
    InfrastructureType: !ConstantField
      value: grid
    NodeCount: !ComponentField
      name: NNodes
    Processors: !ComponentField
      name: Cores
    LocalUserId: !MetaField
      name: user_id
    FQAN: !MetaField
      name: voms
    InfrastructureDescription: !ConstantField
      value: AUDITOR-ARC-SLURM
    ServiceLevel: !ScoreField
      name: hepscore23
      component_name: Cores
    ServiceLevelType: !ConstantField
      value: hepscore23

The individual parameters in the config file are:

pluginlog_levelCan be set to TRACE, DEBUG, INFO, WARNING, ERROR, or CRITICAL (with decreasing verbosity). TRACE might produce a lot of output if message_type is set to individual_jobs, since the message that will be sent to APEL is printed.
plugintime_json_pathPath of the time.json file. The JSON file should be located at a persistent path and stores the stop times of the latest reported job per site, and the time of the latest report to APEL.
pluginreport_intervalTime in seconds between reports to APEL.
pluginmessage_typeType of message to create. Can be set to summaries or individual_jobs.
sitepublish_sinceDate and time in ISO 8601 format (in UTC, hence add +00:00) after which jobs will be published. Only relevant for first run when no time.json is present yet.
sitesites_to_reportDictionary of the sites that will be reported. The keys are the names of the sites in the GOCDB, the values are lists of the corresponding site names in the AUDITOR records.
authenticationauth_urlURL from which the APEL authentication token is received.
authenticationams_urlURL to which the reports are sent.
authenticationclient_certPath of the host certificate.
authenticationclient_keyPath of the host key.
authenticationca_pathPath of the local certificate folder.
authenticationverify_caControls the verification of the certificate of the APEL server. Can be set to True or False (the latter might be necessary for local test setups).
auditoripIP of the AUDITOR instance.
auditorportPort of the AUDITOR instance.
auditortimeoutTime in seconds after which the connection to the AUDITOR instance times out.
auditorsite_meta_fieldName of the field that stores the name of the site in the AUDITOR records.
auditoruse_tlsSpecifies whether TLS is enabled (True) or disabled (False).
auditorca_cert_pathPath to the root Certificate Authority (CA) certificate for validating certificates. Only needed if use_tls is True.
auditorclient_cert_pathPath to the client's TLS certificate, used for mutual TLS (mTLS) authentication. Only needed if use_tls is True.
auditorclient_key_pathPath to the client's private key used for TLS. Only needed if use_tls is True.

The main sections summary_fields and individual_job_fields have the subsections mandatory and optional. mandatory contains the fields that have to be present in the APEL message, therefore the plugin needs to know how to get the information from the AUDITOR records. The mandatory fields are:

NameData type
NormalisedCpuDuration (only for summary_fields)int
NormalisedWallDuration (only for summary_fields)int

There are actually more mandatory fields, but they are handled internally and don't need any input from the user.

optional fields can be used to provide additional information to APEL:

NameData type
Infrastructure (only for summary_fields)str
InfrastructureType (only for individual_job_fields)str
InfrastructureDescription (only for individual_job_fields)str
LocalUserId (only for individual_job_fields)str
FQAN (only for individual_job_fields)str
ServiceLevel (only for individual_job_fields)float
ServiceLevelType (only for individual_job_fields)str

The information about the possible fields, their required data types, and what is mandatory or optional, is taken from

Please make sure that the information you extract from the AUDITOR records has the correct data type as expected by APEL!

Different field types are available, depending on the source of the value that is needed: ComponentField, MetaField, ConstantField, ScoreField, NormalisedField, and NormalisedWallDurationField. The type to be used is indicated after the name of the field with a leading exclamation mark, e.g. Processors: !ComponentField.

ComponentField extracts the value from a component in the AUDITOR record. The mandatory parameter of this field is name, which gives the name of the component in the AUDITOR record. If the value needs to be modified, e.g. if it has another unit than the one expected by APEL, the optional parameter divide_by has to be used.

MetaField extracts the value from the meta information in the AUDITOR record. The mandatory parameter of this field is name, which gives the name of the component in the AUDITOR record. If the value needs to be modified, one of the optional parameters regex or function can be used. regex takes a regular expression, searches the value for this expression, and returns the complete match, function has the parameters name and parameters, where the latter is optional and can be used to provide additional parameters to the function. If you want to manipulate the value of the Metafield with a custom function, it has to be present in and can be added via a pull request.

ConstantField has the mandatory parameter value, which is exactly what will be written in the message field.

ScoreField extracts the score value from a given component from the AUDITOR record. The mandatory parameters are name, the name of the score, and component_name, the name of the component.

NormalisedField has the parameters base_value and score, where score is a ScoreField and base_value a ComponentField. The resulting value is the product of the score and the base value.

NormalisedWallDurationField has the parameter score, which is a ScoreField. The value of the score is multiplied with the runtime of the AUDITOR record.

When using the Docker container, auditor-apel-publish for example can be started with

docker run -it --rm --network host -u "$(id -u):$(id -g)" -v ./config_folder:/app/ aluschumacher/auditor-apel-plugin:edge auditor-apel-publish -c auditor_apel_plugin.yml

In this example, the local directory config_folder contains the config file auditor_apel_plugin.yml, the client certificate hostcert.pem, and the client key hostkey.pem. The JSON file time.json will also be written in config_folder. The corresponding entries in the config file would be:

time_json_path: time.json
client_cert: hostcert.pem
client_key: hostkey.pem

Priority Plugin

The priority plugin takes the resources provided by multiple groups and computes a priority for each of these groups based on how many resources were provided. This allows one to transfer provided resources on one system to priorities in another system. The computed priorities are set via shelling out, and the executed commands can be defined as needed.

The priority plugin is available as RPM or can be built with the command:

RUSTFLAGS='-C link-arg=-s' cargo build --release --target x86_64-unknown-linux-musl --bin auditor-priority-plugin

The resulting binary can be found in target/x86_64-unknown-linux-musl/release/auditor-priority-plugin and is ideally placed on a node where the priorities should be set.

The priority plugin runs continuously. Ideally, it is installed as a systemd service. Priorities are updated at a frequency that can be set via the configuration.

A typical configuration for the SLURM batch system may look like this:

  addr: "auditor_host_address"
  port: 8000
timeout: 30 # in seconds
duration: 1209600 # in seconds
frequency: 3600 # in seconds
    - "part1"
    - "part2"
    - "part3"
  - '/usr/bin/bash -c "/usr/bin/echo \"$(date --rfc-3339=sec --utc) | {resource} | {priority}\" >> {group}.txt"'
  - "/usr/bin/scontrol update PartitionName={1} PriorityJobFactor={priority}"
min_priority: 1
max_priority: 65335
computation_mode: ScaledBySum
log_level: info
  enable: true
  addr: ""
  port: 9000
    - ResourceUsage
    - Priority
  use_tls: false

To enable the TLS for both the above configs, you can set the tls_config to true and add the cert paths as shown below.

  use_tls: true
  ca_cert_path: "/path/rootCA.pem"
  client_cert_path: "/path/client-cert.pem"
  client_key_path: "/path/client-key.pem"

The Auditor instance that is providing the records can be configured with the auditor block. Here, addr refers to the address of the machine that hosts the Auditor instance. The port can be specified with port. The resources used for calculating the priorities can be configured via the components field. It defines which components to extract from the components field of the record (NumCPUs in this example), as well as the corresponding score (HEPSPEC in this example). Multiple components can be extracted. The configured components and scores must be part of the records. The resources of each component will be multiplied by the corresponding score and the resulting provided resource per group is the sum of all these. The records considered in the computation can be limited to all records which finished in the past X seconds via the duration field (in seconds). Omitting this field takes all records in the database into account. The frequency of recalculating the priorities can be set via the frequency field. Via the group_mapping field, it is possible to attach certain additional information to the individual groups which are to be considered in the calculation. In the example configuration above are three groups group{1,2,3}, where each has a corresponding partition part{1,2.3}. These mappings can be accessed when constructing the commands which will be executed after computing the priorities by using {N} where N corresponds to the number of the element in the list of the group_mapping. For instance, for group1, the string {1} indicates part1 while for group2 the same string {1} indicates part2. The group name can be accessed via the {group} string. The commands field in the configuration illustrates the usage of these mappings. This allows one to adapt the commands for the various groups involved. In the commands field one can also see a string {priority}, which will be replaced by the computed priority for the group. Another special string, {resources} is available, which is replaced by the computed provided resource per group. The command is executed for each group separately and multiple commands can be provided with a list. The verbosity of logging can be set with the log_level option. Possible values are trace, debug, info (default), warn, and error. The priority plugin allows for real-time monitoring of the computed resources and priorities via a prometheus endpoint. Per default, the prometheus endpoint is disabled. It can be enabled by adding the prometheus block to the configuration or by setting the enable field of this block to true. Inside the prometheus block, the address and port of the HTTP server that provides the prometheus metrics can be specified via the addr and port fields. The metrics will then be available at <addr>:<port>/metrics The metrics list specifies the metrics that are exported. Right now the values ResourceUsage (for the amount of provided resources in the given duration) and Priority (for the calculated priority value) are supported. Set use_tls to true to enable TLS encryption. If use_tls is false, TLS will not be used, and the remaining parameters will not take effect. If TLS is enabled:

Priority computation modes

As stated above, the priorities are computed from the provided resources of each group. However, the computed resources and the priorities are in different units and span different ranges. Therefore a mapping between resources and priorities needs to be in place. This plugin offers two computation_modes: FullSpread and ScaledBySum. Via min_priority and max_priority, lower and upper limits on the computed priority are set.

Auditor Clients

To facilitate the development of collectors and plugins, client libraries for Rust and Python are offered which handle the interaction with the Auditor server. For details please consult the respective documentation pages for the Rust client and the Python client.


While the client libraries provide an interface to communicate with the Auditor server, it is also possible to directly use the REST API provided by the Auditor server. The following table provides an overview of the different API endpoints that are provided. The individual endpoints are further detailed down below.

Health checkGET /health_check
Get Prometheus metricsGET /metrics
Add single recordPOST /record
Add multiple recordsPOST /records
Update recordPUT /record
Get single record by record_idGET /record/<record_id>
Get all recordsGET /records
Get subset of recordsGET /records?<query_string>

In the event of unforeseen errors, the server will respond with a 500 INTERNAL SERVER ERROR.



To install an AUDITOR stack on a Kubernetes cluster we provide a Helm Chart in ./helmcharts/ that includes the subcharts

All charts can be (de-)activated in the partent charts values.yaml individually, so everything can be run on Kubernetes or separately. With the exception of the server chart, all deployments should be provided with persistent storage, while the auditor chart requires a Postgres.

For the sake of this example we will provide a small Docker compose setup to run a Postgres instance and install all other components on Kubernetes.

To set up Postgres we use the following files:

# .env

# docker-compose.yml

    image: postgres:16.2-alpine
    hostname: postgres
      - vol_postgres:/var/lib/postgresql/data
    # Note: During init the server is ready but only accepts connections via
    # socket. Specifying localhost makes sure init is done.
        - "CMD"
        - "pg_isready"
        - "--dbname=$POSTGRES_DB"
        - "--username=$POSTGRES_USER"
        - "--host=localhost"
      interval: 60s
      timeout: 3s
      start_period: 60s
      start_interval: 2s
      retries: 1
      - ${POSTGRES_PORT}:5432
      - auditor-on-kubernetes


# docker-compose-setup.yml
    image: aluschumacher/auditor:${AUDITOR_VERSION}
      AUDITOR_DATABASE__HOST: postgres
    command: migrate
      - auditor-on-kubernetes
        condition: service_healthy


The first start of Postgres is done with

docker compose -f docker-compose.yml -f docker-compose-setup.yml up

to run the migration.

The configuration of the AUDITOR stack is done through the values.yaml files of the charts. In particular, we need to provide the Postgres address in the parent chart or the auditor chart.

We then install everything via the Helm Charts:

kubectl create namespace auditor
helm install -n auditor auditor-stack helmcharts/

Note that, per default, none of the pods will have a persistent storage. It is however advised to provide the collector, the APEL plugin and especially the Prometheus instance with persistent storage. The value.yaml files contain a section with a simple example for this, using local paths. If you want to use it, set persistentVolume.use to true in the appropriate values.yaml and add the node to use in persistentVolume.nodeAffinity. Then, on the nodes in question the directory /srv/auditor/{apel,collector,prometheus} should exists.

If you want to run the APEL plugin on Kubernetes you need to provide it with certificate files ca.pem, client.pem and client.key in the files directory of its chart.


Licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.