Publications-Theses
Article View/Open
Publication Export
-
Google ScholarTM
NCCU Library
Citation Infomation
Related Publications in TAIR
題名 OpenTelemetry日誌的串流與屬性導向權控機制
Attribute-based Access Control for OpenTelemetry Log Streams作者 陳媛婷
CHEN, YUAN-TING貢獻者 廖峻鋒<br>陳宜秀
Liao,Chun-Feng<br>Chen,Yi-hsiu
陳媛婷
CHEN,YUAN-TING關鍵詞 OpenTelemetry
日誌存取控制
身分驗證
OIDC
ABAC
可觀測性
OpenTelemetry
Log Access Control
Authentication
OIDC
ABAC
Observability日期 2026 上傳時間 2-Mar-2026 11:19:24 (UTC+8) 摘要 隨著雲端時代來臨,系統規模與複雜度日益提升,如何有效管理與保護資源存取權限已成為各式資訊系統重要課題之一。現代系統普遍蒐集大量遙測(Telemetry)資料以實現可觀測性(Observability)。其中,日誌(Log)因同時具備結構與可讀的特性,常被用於系統除錯與事件分析,然而,也更容易涉及敏感資訊,若未設計妥善的存取控管與隔離機制,可能導致資訊外洩,尤其當系統中具有多重管理角色共同管理日誌時風險最為顯著。OpenTelemetry (OTel)是目前相當普及的開放可觀測性技術規格,它提供了強大的資料收集與匯出實作規格與方法。可惜的是OTel未針對日誌資料的授權與存取控制提供設計建議,考量目前多數授權機制在設計上只以RBAC (Role-based Access Control),同一個角色定義好權限後,無法再加註條件以因應更精細的日誌存取管控需求。本研究以此為切入點,設計並實作一套相容於OTel的動態認證與授權管理機制,整合OpenID Connect (OIDC)進行身分驗證,導入屬性為基礎的存取控制(Attribute-based Access Control,ABAC)模型,依據使用者屬性、日誌屬性與存取情境,透過屬性動態決定可存取之日誌範圍。在實作上,本機制的授權結果用於控制使用者訂閱日誌串流的範圍,以MQTT做為日誌串流載體,即時執行權限檢查與資料隔離。本研究也針對多項使用者存取情境設計測試案例,從Security與Availability兩面向進行實證,驗證本機制能有效阻擋未授權行為、並確保合法操作順利完成,補足現有 OTel 架構在日誌存取控制層面的設計缺口,提升其於實務場域的安全性與彈性。
With the advent of the cloud computing era, modern information systems have grown significantly in both scale and complexity, making effective management and protection of resource access privileges a critical challenge. Contemporary systems commonly collect large volumes of telemetry data to achieve observability. Among these, logs are widely used for system debugging and event analysis due to their combination of structured data and human-readable content. However, logs are also more likely to contain sensitive information, and without carefully designed access control and isolation mechanisms, they may lead to information leakage, particularly in environments where multiple administrative roles jointly manage the log data. OpenTelemetry (OTel) has emerged as a widely adopted open specification, providing comprehensive mechanisms for telemetry data collection, processing and export. Nevertheless, OTel does not offer explicit design guidance for authorization and access control of log data. Moreover, most existing authorization mechanisms rely primarily on Role-Based Access Control (RBAC), which lacks the ability to express fine-grained, context-aware access policies once role permissions are statically defined. Motivated by these limitations, this thesis designs and implements a dynamic authentication and authorization management mechanism compatible with OpenTelemetry. The proposed approach integrates OpenID Connect (OIDC) for identity authentication and adopts an Attribute-Based Access Control (ABAC) model to dynamically determine the scope of accessible log data based on user attributes, log attributes, and access context. In the implementation, authorization decisions are enforced by controlling users’ subscriptions to log streams, with MQTT employed as the backbone for log streaming, enabling real-time permission checks and data isolation. To evaluate the proposed mechanism, this thesis designs test cases covering multiple user access scenarios and conducts empirical validation from both Security and Availability perspectives. The results demonstrate that the proposed mechanism effectively prevents unauthorized access while ensuring the correct execution of legitimate operations. By addressing a critical gap in log access control within the existing OpenTelemetry architecture, this thesis enhances the security and flexibility of observability systems in practical deployments.參考文獻 [1] 周建毅, OAuth 2.0 從入門到實戰:利用驗證和授權守護 API 的安全. 博碩文化, Dec. 2022, ISBN: 9786263333185. [2] R. E. Kalman, "On the general theory of control systems", IFAC Proceedings Volumes, vol. 1, no. 1, pp. 491–502, 1960, ISSN: 1474-6670. DOI: 10.1016/S1474-6670(17)70094-8. [3] P. Chalin, S. Neumann, P. Carter, et al., What is opentelemetry?, [Accessed 29.Jan.2026]: https://opentelemetry.io/docs/what-is-opentelemetry/. [4] P. Chalin, S. Neumann, P. Carter, et al., Opentelemetry ecosystem, [Accessed 3.Jan.2026]: https://opentelemetry.io/ecosystem/, 2024. [5] D. Elagina, Annual number of data compromises and individuals impacted in the united states from 2005 to 2024, Statista, [Accessed 3.Jan.2026]: https://www.statista.com/statistics/273550/, 2025. [6] V. C. Hu, D. Ferraiolo, R. Kuhn, et al., "Guide to attribute based access control (abac) definition and considerations", National Institute of Standards and Technology (NIST), Tech. Rep. Special Publication 800-162, 2014. DOI: 10.6028/NIST.SP.800-162. [Online]. Available: https://doi.org/10.6028/NIST.SP.800-162. [7] K. Ragothaman, Y. Wang, B. Rimal, and M. Lawrence, "Access control for iot: A survey of existing research, dynamic policies and future directions", Sensors, vol. 23, no. 4, p. 1805, 2023. DOI: 10.3390/s23041805. [Online]. Available: https://doi.org/10.3390/s23041805. [8] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-based access control models", Computer, vol. 29, no. 2, pp. 38–47, 1996. DOI: 10.1109/2.485845. [9] P. Yu, Z. Jiang, and W. Fu, "A multiple hierarchies RBAC model", in 2010 International Conference on Communications and Mobile Computing, vol. 1, 2010, pp. 56–60. DOI: 10.1109/CMC.2010.117. [10] P. Yu, Z. Jiang, and W. Fu, "An object-oriented fine-grained RBAC model", in 2012 Fifth International Joint Conference on Computational Sciences and Optimization, 2012, pp. 601–604. DOI: 10.1109/CSO.2012.137. [11] N. Sakimura, J. Bradley, M. Jones, de B. de Medeiros, and C. Mortimore, OpenID connect core 1.0 incorporating errata set 2, 2023. [Online]. Available: https://openid.net/specs/openid-connect-core-1_0.html. [12] E. Karimi and J. Handler, Workload management in opensearch-based multi-tenant centralized logging platforms, Jul. 2025. [13] C. Majors, L. Fong-Jones, and G. Miranda, Observability Engineering: Achieving Production Excellence. O'Reilly Media, Inc., 2022, ISBN: 9781492076445. [14] C. Eder, S. Winzinger, and R. Lichtenthäler, "A comparison of distributed tracing tools in serverless applications", in 2023 IEEE International Conference on Service-Oriented System Engineering (SOSE), Athens, Greece: IEEE, 2023, pp. 98–105. DOI: 10.1109/SOSE58276.2023.00018. [15] V. Sivakumaran, "The future of opentelemetry: Transforming modern observability", International Journal of Computer Engineering and Technology (IJCET), vol. 16, no. 1, pp. 512–524, 2025. DOI: 10.34218/IJCET_16_01_044. [16] P. Chalin, S. Neumann, P. Carter, et al., Opentelemetry logging, [Accessed 29.Jan.2026]: https://opentelemetry.io/docs/specs/otel/logs/. [17] M. Chapple, J. M. Stewart, and D. Gibson, (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th. John Wiley, 2021, ISBN: 9781119786238. [18] M. B. Jones, J. Bradley, and N. Sakimura, Json web token (jwt), RFC 7519, Internet Engineering Task Force, 2015. DOI: 10.17487/RFC7519. [19] C. Nwamba and Ory Project. "Authorization code flow". (2025), [Online]. Available: https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow. [20] X. Jin, R. Krishnan, and R. Sandhu, "A unified attribute-based access control model covering dac, mac and rbac", in Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec'12), Springer, 2012, pp. 41–55, ISBN: 9783642315398. DOI: 10.1007/978-3-642-31540-4_4. [21] Joint Task Force, "Security and privacy controls for information systems and organizations", National Institute of Standards and Technology (NIST), Tech. Rep. NIST SP 800-53, Revision 5, Sep. 2020. DOI: 10.6028/NIST.SP.800-53r5. [22] E. Yuan and J. Tong, "Attribute based access control (abac) for web services", in Proceedings of the IEEE International Conference on Web Services (ICWS), IEEE, 2005, p. 569. DOI: 10.1109/ICWS.2005.25. [23] Elastic NV, Elastic stack overview, [Accessed 3.Jan.2026]: https://www.elastic.co/elastic-stack, 2025. [24] Elastic NV, Logstash reference documentation, [Accessed 3.Jan.2026]: https://www.elastic.co/docs/reference/logstash, 2025. [25] E. Welch, C. Tovena, et al., Understand labels | Grafana Loki documentation, [Accessed 3.Jan.2026]: https://grafana.com/docs/loki/latest/get-started/labels/, 2025. [26] Splunk Inc., Splunk documentation, [Accessed 3.Jan.2026]: https://docs.splunk.com/Documentation, 2025. [27] N. Kratzke, "Cloud-native observability: The many-faceted benefits of structured and unified logging—a multi-case study", Future Internet, vol. 14, no. 10, p. 274, 2022. DOI: 10.3390/fi14100274. [28] I. Tzanettis, C.-M. Androna, A. Zafeiropoulos, E. Fotopoulou, and S. Papavassiliou, "Data fusion of observability signals for assisting orchestration of distributed applications", Sensors, vol. 22, no. 5, p. 2061, 2022. DOI: 10.3390/s22052061. [29] D. Yokelson, O. Lappi, S. Ramesh, et al., "Soma: Observability, monitoring, and in situ analytics for exascale applications", Concurrency and Computation: Practice and Experience, vol. 36, no. 19, e8141, 2024. DOI: 10.1002/cpe.8141. [30] G. Lee, M. Son, N. Choi, S. Hong, and H. Kim, "Blockchain based removable storage device log management system", in 2020 22nd International Conference on Advanced Communication Technology (ICACT), 2020, pp. 276–279. DOI: 10.23919/ICACT48636.2020.9061329. [31] A. O. Portillo-Dominguez and V. Ayala-Rivera, "Towards an efficient log data protection in software systems through data minimization and anonymization", in 2019 7th International Conference in Software Engineering Research and Innovation (CONISOFT), 2019, pp. 107–115. DOI: 10.1109/CONISOFT.2019.00024. [32] B. Shen, T. Shan, and Y. Zhou, "Improving logging to reduce permission over-granting mistakes", in Proceedings of the 32nd USENIX Conference on Security Symposium (SEC '23), USENIX Association, 2023, ISBN: 978-1-939133-37-3. [33] K. Dodanduwa and I. Kaluthanthri, "Role of trust in oauth 2.0 and openid connect", in 2018 IEEE International Conference on Information and Automation for Sustainability (ICIAfS), 2018, pp. 1–4. DOI: 10.1109/ICIAFS.2018.8913384. [34] P. Chalin, S. Neumann, A. Parker, et al., Opentelemetry specification: Logs data model, [Accessed 3.Jan.2026]: https://opentelemetry.io/docs/specs/otel/logs/data-model/, 2024. [35] E. Macarron, Jpetstore 6: A full web application built with mybatis, [Accessed 3.Jan.2026]: https://github.com/mybatis/jpetstore-6, 2024. [36] A. Detti, L. Funari, and L. Petrucci, "µBench: An open-source factory of benchmark microservice applications", IEEE Transactions on Parallel and Distributed Systems, vol. 34, no. 3, pp. 968–980, 2023. [37] B. Drutu, A. Toulme, Y. Song, D. Jaglowski, D. Anoshin, et al., Opentelemetry collector contrib: filelogreceiver, [Accessed 3.Jan.2026]: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/filelogreceiver/README.md. [38] B. Drutu, A. Toulme, Y. Song, D. Jaglowski, D. Anoshin, et al., Opentelemetry collector contrib: attributesprocessor, [Accessed 3.Jan.2026]: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/processor/attributesprocessor/README.md. [39] B. Drutu, A. Toulme, Y. Song, D. Jaglowski, D. Anoshin, et al., Opentelemetry collector contrib: lokiexporter, [Accessed 3.Jan.2026]: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/lokiexporter/README.md. [40] A. Banks, E. Briggs, K. Borgendale, and R. Gupta, MQTT version 5.0, OASIS Standard, 2019. [Online]. Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. [41] R. Light, Paho-mqtt: MQTT python client, [Accessed 3.Jan.2026]: https://pypi.org/project/paho-mqtt/, 2024. [42] K. Moriarty, B. Kaliski, J. Jonsson, and A. Rusch, "PKCS #1: RSA cryptography specifications version 2.2", Internet Engineering Task Force, RFC 8017, Nov. 2016. [Online]. Available: https://www.rfc-editor.org/rfc/rfc8017.html. [43] A. Jandoubi, M. T. Bennani, O. Mosbahi, and A. El Fazziki, "Analyzing MQTT attack scenarios: A systematic formalization and TLC model checker simulation", in International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE), 2024. [Online]. Available: https://www.scitepress.org/Papers/2024/126256/126256.pdf. [44] B. Minto, The Minto Pyramid Principle: Logic in Writing, Thinking, & Problem Solving. London: Minto International, 2009, ISBN: 978-0950191034. [45] European Union Agency for Cybersecurity, "ENISA threat landscape 2024: July 2023 to june 2024", European Union Agency for Cybersecurity, Technical Report, Sep. 2024. DOI: 10.2824/0710888. [Online]. Available: https://data.europa.eu/doi/10.2824/0710888. [46] J. Nielsen, Usability Engineering. Morgan Kaufmann, 1993, ISBN: 0-12-518406-9. [47] B. Beyer, C. Jones, J. Petoff, and N. R. Murphy, Site Reliability Engineering: How Google Runs Production Systems. O'Reilly Media, 2016. [Online]. Available: http://landing.google.com/sre/book.html. 描述 碩士
國立政治大學
數位內容碩士學位學程
112462009資料來源 http://thesis.lib.nccu.edu.tw/record/#G0112462009 資料類型 thesis dc.contributor.advisor 廖峻鋒<br>陳宜秀 zh_TW dc.contributor.advisor Liao,Chun-Feng<br>Chen,Yi-hsiu en_US dc.contributor.author (Authors) 陳媛婷 zh_TW dc.contributor.author (Authors) CHEN,YUAN-TING en_US dc.creator (作者) 陳媛婷 zh_TW dc.creator (作者) CHEN, YUAN-TING en_US dc.date (日期) 2026 en_US dc.date.accessioned 2-Mar-2026 11:19:24 (UTC+8) - dc.date.available 2-Mar-2026 11:19:24 (UTC+8) - dc.date.issued (上傳時間) 2-Mar-2026 11:19:24 (UTC+8) - dc.identifier (Other Identifiers) G0112462009 en_US dc.identifier.uri (URI) https://nccur.lib.nccu.edu.tw/handle/140.119/161707 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 數位內容碩士學位學程 zh_TW dc.description (描述) 112462009 zh_TW dc.description.abstract (摘要) 隨著雲端時代來臨,系統規模與複雜度日益提升,如何有效管理與保護資源存取權限已成為各式資訊系統重要課題之一。現代系統普遍蒐集大量遙測(Telemetry)資料以實現可觀測性(Observability)。其中,日誌(Log)因同時具備結構與可讀的特性,常被用於系統除錯與事件分析,然而,也更容易涉及敏感資訊,若未設計妥善的存取控管與隔離機制,可能導致資訊外洩,尤其當系統中具有多重管理角色共同管理日誌時風險最為顯著。OpenTelemetry (OTel)是目前相當普及的開放可觀測性技術規格,它提供了強大的資料收集與匯出實作規格與方法。可惜的是OTel未針對日誌資料的授權與存取控制提供設計建議,考量目前多數授權機制在設計上只以RBAC (Role-based Access Control),同一個角色定義好權限後,無法再加註條件以因應更精細的日誌存取管控需求。本研究以此為切入點,設計並實作一套相容於OTel的動態認證與授權管理機制,整合OpenID Connect (OIDC)進行身分驗證,導入屬性為基礎的存取控制(Attribute-based Access Control,ABAC)模型,依據使用者屬性、日誌屬性與存取情境,透過屬性動態決定可存取之日誌範圍。在實作上,本機制的授權結果用於控制使用者訂閱日誌串流的範圍,以MQTT做為日誌串流載體,即時執行權限檢查與資料隔離。本研究也針對多項使用者存取情境設計測試案例,從Security與Availability兩面向進行實證,驗證本機制能有效阻擋未授權行為、並確保合法操作順利完成,補足現有 OTel 架構在日誌存取控制層面的設計缺口,提升其於實務場域的安全性與彈性。 zh_TW dc.description.abstract (摘要) With the advent of the cloud computing era, modern information systems have grown significantly in both scale and complexity, making effective management and protection of resource access privileges a critical challenge. Contemporary systems commonly collect large volumes of telemetry data to achieve observability. Among these, logs are widely used for system debugging and event analysis due to their combination of structured data and human-readable content. However, logs are also more likely to contain sensitive information, and without carefully designed access control and isolation mechanisms, they may lead to information leakage, particularly in environments where multiple administrative roles jointly manage the log data. OpenTelemetry (OTel) has emerged as a widely adopted open specification, providing comprehensive mechanisms for telemetry data collection, processing and export. Nevertheless, OTel does not offer explicit design guidance for authorization and access control of log data. Moreover, most existing authorization mechanisms rely primarily on Role-Based Access Control (RBAC), which lacks the ability to express fine-grained, context-aware access policies once role permissions are statically defined. Motivated by these limitations, this thesis designs and implements a dynamic authentication and authorization management mechanism compatible with OpenTelemetry. The proposed approach integrates OpenID Connect (OIDC) for identity authentication and adopts an Attribute-Based Access Control (ABAC) model to dynamically determine the scope of accessible log data based on user attributes, log attributes, and access context. In the implementation, authorization decisions are enforced by controlling users’ subscriptions to log streams, with MQTT employed as the backbone for log streaming, enabling real-time permission checks and data isolation. To evaluate the proposed mechanism, this thesis designs test cases covering multiple user access scenarios and conducts empirical validation from both Security and Availability perspectives. The results demonstrate that the proposed mechanism effectively prevents unauthorized access while ensuring the correct execution of legitimate operations. By addressing a critical gap in log access control within the existing OpenTelemetry architecture, this thesis enhances the security and flexibility of observability systems in practical deployments. en_US dc.description.tableofcontents 謝辭 i 摘要 ii Abstract iii 目錄 v 圖目錄 viii 表目錄 x 第一章 緒論 1 1.1 研究背景與動機 1 1.2 研究目的與問題 6 1.3 研究架構與流程 8 第二章 技術背景與文獻探討 10 2.1 技術背景 10 2.1.1 可觀測性概念 10 2.1.2 OpenTelemetry架構 11 2.1.3 身分驗證(Authentication) 12 2.1.4 存取控管(Authorization) 17 2.2 文獻研討 21 第三章 系統設計 24 3.1 系統架構 24 3.2 日誌分流策略設計 26 3.3 OIDC驗證與授權控制整合 27 第四章 系統實作 29 4.1 日誌處理模組實作 30 4.1.1 Collector組態與處理流程 30 4.1.2 日誌儲存與查詢模組 31 4.1.3 MQTT推播系統 32 4.2 存取控管模組實作 33 4.2.1 OIDC Provider身分驗證 33 4.2.2 Dispatcher身分驗證流程 34 4.2.3 PDP屬性授權判斷 35 4.3 整體模組串接與實際應用情境 36 第五章 系統評估 38 5.1 Security 39 5.1.1 驗證設計與流程 39 5.1.2 驗證結果與討論 40 5.2 Availability 41 5.2.1 驗證設計流程 41 5.2.2 驗證結果與討論 42 5.3 效能與穩定性 43 5.3.1 有無授權機制之效能比較 43 5.3.2 系統在不同流量下之效能評估 44 5.3.3 穩定性測試 46 5.3.4 壓力測試 48 第六章 結論 50 參考文獻 52 附錄 57 附錄 A Security各情境驗證程式碼 57 情境一 攻擊者未帶Token存取資源 57 情境二 攻擊者訂閱未授權的MQTT Topic 58 情境三 使用者動態授權更新(角色降級) 59 情境四 攻擊者使用過期的Token 61 情境五 攻擊者使用偽造的Token 62 情境六 攻擊者冒用他人Token 64 情境七 攻擊者Token重送 65 附錄 B Availability各情境驗證程式碼 68 情境一 使用者正常流程訂閱 68 情境二 使用者動態授權更新 (角色升級) 72 情境三 使用者多Topic的訂閱 78 zh_TW dc.format.extent 4811291 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0112462009 en_US dc.subject (關鍵詞) OpenTelemetry zh_TW dc.subject (關鍵詞) 日誌存取控制 zh_TW dc.subject (關鍵詞) 身分驗證 zh_TW dc.subject (關鍵詞) OIDC zh_TW dc.subject (關鍵詞) ABAC zh_TW dc.subject (關鍵詞) 可觀測性 zh_TW dc.subject (關鍵詞) OpenTelemetry en_US dc.subject (關鍵詞) Log Access Control en_US dc.subject (關鍵詞) Authentication en_US dc.subject (關鍵詞) OIDC en_US dc.subject (關鍵詞) ABAC en_US dc.subject (關鍵詞) Observability en_US dc.title (題名) OpenTelemetry日誌的串流與屬性導向權控機制 zh_TW dc.title (題名) Attribute-based Access Control for OpenTelemetry Log Streams en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] 周建毅, OAuth 2.0 從入門到實戰:利用驗證和授權守護 API 的安全. 博碩文化, Dec. 2022, ISBN: 9786263333185. [2] R. E. Kalman, "On the general theory of control systems", IFAC Proceedings Volumes, vol. 1, no. 1, pp. 491–502, 1960, ISSN: 1474-6670. DOI: 10.1016/S1474-6670(17)70094-8. [3] P. Chalin, S. Neumann, P. Carter, et al., What is opentelemetry?, [Accessed 29.Jan.2026]: https://opentelemetry.io/docs/what-is-opentelemetry/. [4] P. Chalin, S. Neumann, P. Carter, et al., Opentelemetry ecosystem, [Accessed 3.Jan.2026]: https://opentelemetry.io/ecosystem/, 2024. [5] D. Elagina, Annual number of data compromises and individuals impacted in the united states from 2005 to 2024, Statista, [Accessed 3.Jan.2026]: https://www.statista.com/statistics/273550/, 2025. [6] V. C. Hu, D. Ferraiolo, R. Kuhn, et al., "Guide to attribute based access control (abac) definition and considerations", National Institute of Standards and Technology (NIST), Tech. Rep. Special Publication 800-162, 2014. DOI: 10.6028/NIST.SP.800-162. [Online]. Available: https://doi.org/10.6028/NIST.SP.800-162. [7] K. Ragothaman, Y. Wang, B. Rimal, and M. Lawrence, "Access control for iot: A survey of existing research, dynamic policies and future directions", Sensors, vol. 23, no. 4, p. 1805, 2023. DOI: 10.3390/s23041805. [Online]. Available: https://doi.org/10.3390/s23041805. [8] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-based access control models", Computer, vol. 29, no. 2, pp. 38–47, 1996. DOI: 10.1109/2.485845. [9] P. Yu, Z. Jiang, and W. Fu, "A multiple hierarchies RBAC model", in 2010 International Conference on Communications and Mobile Computing, vol. 1, 2010, pp. 56–60. DOI: 10.1109/CMC.2010.117. [10] P. Yu, Z. Jiang, and W. Fu, "An object-oriented fine-grained RBAC model", in 2012 Fifth International Joint Conference on Computational Sciences and Optimization, 2012, pp. 601–604. DOI: 10.1109/CSO.2012.137. [11] N. Sakimura, J. Bradley, M. Jones, de B. de Medeiros, and C. Mortimore, OpenID connect core 1.0 incorporating errata set 2, 2023. [Online]. Available: https://openid.net/specs/openid-connect-core-1_0.html. [12] E. Karimi and J. Handler, Workload management in opensearch-based multi-tenant centralized logging platforms, Jul. 2025. [13] C. Majors, L. Fong-Jones, and G. Miranda, Observability Engineering: Achieving Production Excellence. O'Reilly Media, Inc., 2022, ISBN: 9781492076445. [14] C. Eder, S. Winzinger, and R. Lichtenthäler, "A comparison of distributed tracing tools in serverless applications", in 2023 IEEE International Conference on Service-Oriented System Engineering (SOSE), Athens, Greece: IEEE, 2023, pp. 98–105. DOI: 10.1109/SOSE58276.2023.00018. [15] V. Sivakumaran, "The future of opentelemetry: Transforming modern observability", International Journal of Computer Engineering and Technology (IJCET), vol. 16, no. 1, pp. 512–524, 2025. DOI: 10.34218/IJCET_16_01_044. [16] P. Chalin, S. Neumann, P. Carter, et al., Opentelemetry logging, [Accessed 29.Jan.2026]: https://opentelemetry.io/docs/specs/otel/logs/. [17] M. Chapple, J. M. Stewart, and D. Gibson, (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th. John Wiley, 2021, ISBN: 9781119786238. [18] M. B. Jones, J. Bradley, and N. Sakimura, Json web token (jwt), RFC 7519, Internet Engineering Task Force, 2015. DOI: 10.17487/RFC7519. [19] C. Nwamba and Ory Project. "Authorization code flow". (2025), [Online]. Available: https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow. [20] X. Jin, R. Krishnan, and R. Sandhu, "A unified attribute-based access control model covering dac, mac and rbac", in Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec'12), Springer, 2012, pp. 41–55, ISBN: 9783642315398. DOI: 10.1007/978-3-642-31540-4_4. [21] Joint Task Force, "Security and privacy controls for information systems and organizations", National Institute of Standards and Technology (NIST), Tech. Rep. NIST SP 800-53, Revision 5, Sep. 2020. DOI: 10.6028/NIST.SP.800-53r5. [22] E. Yuan and J. Tong, "Attribute based access control (abac) for web services", in Proceedings of the IEEE International Conference on Web Services (ICWS), IEEE, 2005, p. 569. DOI: 10.1109/ICWS.2005.25. [23] Elastic NV, Elastic stack overview, [Accessed 3.Jan.2026]: https://www.elastic.co/elastic-stack, 2025. [24] Elastic NV, Logstash reference documentation, [Accessed 3.Jan.2026]: https://www.elastic.co/docs/reference/logstash, 2025. [25] E. Welch, C. Tovena, et al., Understand labels | Grafana Loki documentation, [Accessed 3.Jan.2026]: https://grafana.com/docs/loki/latest/get-started/labels/, 2025. [26] Splunk Inc., Splunk documentation, [Accessed 3.Jan.2026]: https://docs.splunk.com/Documentation, 2025. [27] N. Kratzke, "Cloud-native observability: The many-faceted benefits of structured and unified logging—a multi-case study", Future Internet, vol. 14, no. 10, p. 274, 2022. DOI: 10.3390/fi14100274. [28] I. Tzanettis, C.-M. Androna, A. Zafeiropoulos, E. Fotopoulou, and S. Papavassiliou, "Data fusion of observability signals for assisting orchestration of distributed applications", Sensors, vol. 22, no. 5, p. 2061, 2022. DOI: 10.3390/s22052061. [29] D. Yokelson, O. Lappi, S. Ramesh, et al., "Soma: Observability, monitoring, and in situ analytics for exascale applications", Concurrency and Computation: Practice and Experience, vol. 36, no. 19, e8141, 2024. DOI: 10.1002/cpe.8141. [30] G. Lee, M. Son, N. Choi, S. Hong, and H. Kim, "Blockchain based removable storage device log management system", in 2020 22nd International Conference on Advanced Communication Technology (ICACT), 2020, pp. 276–279. DOI: 10.23919/ICACT48636.2020.9061329. [31] A. O. Portillo-Dominguez and V. Ayala-Rivera, "Towards an efficient log data protection in software systems through data minimization and anonymization", in 2019 7th International Conference in Software Engineering Research and Innovation (CONISOFT), 2019, pp. 107–115. DOI: 10.1109/CONISOFT.2019.00024. [32] B. Shen, T. Shan, and Y. Zhou, "Improving logging to reduce permission over-granting mistakes", in Proceedings of the 32nd USENIX Conference on Security Symposium (SEC '23), USENIX Association, 2023, ISBN: 978-1-939133-37-3. [33] K. Dodanduwa and I. Kaluthanthri, "Role of trust in oauth 2.0 and openid connect", in 2018 IEEE International Conference on Information and Automation for Sustainability (ICIAfS), 2018, pp. 1–4. DOI: 10.1109/ICIAFS.2018.8913384. [34] P. Chalin, S. Neumann, A. Parker, et al., Opentelemetry specification: Logs data model, [Accessed 3.Jan.2026]: https://opentelemetry.io/docs/specs/otel/logs/data-model/, 2024. [35] E. Macarron, Jpetstore 6: A full web application built with mybatis, [Accessed 3.Jan.2026]: https://github.com/mybatis/jpetstore-6, 2024. [36] A. Detti, L. Funari, and L. Petrucci, "µBench: An open-source factory of benchmark microservice applications", IEEE Transactions on Parallel and Distributed Systems, vol. 34, no. 3, pp. 968–980, 2023. [37] B. Drutu, A. Toulme, Y. Song, D. Jaglowski, D. Anoshin, et al., Opentelemetry collector contrib: filelogreceiver, [Accessed 3.Jan.2026]: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/filelogreceiver/README.md. [38] B. Drutu, A. Toulme, Y. Song, D. Jaglowski, D. Anoshin, et al., Opentelemetry collector contrib: attributesprocessor, [Accessed 3.Jan.2026]: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/processor/attributesprocessor/README.md. [39] B. Drutu, A. Toulme, Y. Song, D. Jaglowski, D. Anoshin, et al., Opentelemetry collector contrib: lokiexporter, [Accessed 3.Jan.2026]: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/lokiexporter/README.md. [40] A. Banks, E. Briggs, K. Borgendale, and R. Gupta, MQTT version 5.0, OASIS Standard, 2019. [Online]. Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. [41] R. Light, Paho-mqtt: MQTT python client, [Accessed 3.Jan.2026]: https://pypi.org/project/paho-mqtt/, 2024. [42] K. Moriarty, B. Kaliski, J. Jonsson, and A. Rusch, "PKCS #1: RSA cryptography specifications version 2.2", Internet Engineering Task Force, RFC 8017, Nov. 2016. [Online]. Available: https://www.rfc-editor.org/rfc/rfc8017.html. [43] A. Jandoubi, M. T. Bennani, O. Mosbahi, and A. El Fazziki, "Analyzing MQTT attack scenarios: A systematic formalization and TLC model checker simulation", in International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE), 2024. [Online]. Available: https://www.scitepress.org/Papers/2024/126256/126256.pdf. [44] B. Minto, The Minto Pyramid Principle: Logic in Writing, Thinking, & Problem Solving. London: Minto International, 2009, ISBN: 978-0950191034. [45] European Union Agency for Cybersecurity, "ENISA threat landscape 2024: July 2023 to june 2024", European Union Agency for Cybersecurity, Technical Report, Sep. 2024. DOI: 10.2824/0710888. [Online]. Available: https://data.europa.eu/doi/10.2824/0710888. [46] J. Nielsen, Usability Engineering. Morgan Kaufmann, 1993, ISBN: 0-12-518406-9. [47] B. Beyer, C. Jones, J. Petoff, and N. R. Murphy, Site Reliability Engineering: How Google Runs Production Systems. O'Reilly Media, 2016. [Online]. Available: http://landing.google.com/sre/book.html. zh_TW
