Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change db.statement to only be collected if there is sanitization #1552

Open
3 tasks
makeavish opened this issue Jun 28, 2023 · 3 comments
Open
3 tasks

Change db.statement to only be collected if there is sanitization #1552

makeavish opened this issue Jun 28, 2023 · 3 comments

Comments

@makeavish
Copy link

makeavish commented Jun 28, 2023
edited
Loading

Currently db.statement is collected by default and there's no option to disable it. According to open telemetry spec, db.statement has to be disabled by default.

  • mysql
  • redis
  • mongoose
@makeavish makeavish changed the title Change db.statement to only be collected if there is sanitization in mysql and redis Change db.statement to only be collected if there is sanitization Jun 28, 2023
@ramesius
Copy link
Contributor

DynamoDB can be added to the list too.

@ithompson-gp
Copy link

ithompson-gp commented Sep 4, 2023
edited
Loading

Is there anyone working on/driving this? Generally a production blocker unless we can toggle the attribute being applied or, have functionality to scrub/obfuscate (or even having a dedicated, or passing custom, serialiser like:

opentelemetry-js-contrib/plugins/node/opentelemetry-instrumentation-redis/README.md

Lines 56 to 75 in de221b0

#### Custom `db.statement` Serializer
The instrumentation serializes the command into a Span attribute called `db.statement`. The standard serialization format attempts to be as informative as possible while avoiding the export of potentially sensitive data. The number of serialized arguments depends on the specific command, see the configuration
list in `@opentelemetry/redis-common`.
It is also possible to define a custom serialization function. The function
will receive the command name and arguments and must return a string.
Here is a simple example to serialize the command name and all command arguments.
Notice that it might capture sensitive data and big payloads:
```javascript
const { RedisInstrumentation } = require('@opentelemetry/instrumentation-redis');
const redisInstrumentation = new RedisInstrumentation({
dbStatementSerializer: function (cmdName, cmdArgs) {
return [cmdName, ...cmdArgs].join(" ");
},
});
```
)

Noting the DynamoDB extension as an example of the issue:

opentelemetry-js-contrib/plugins/node/opentelemetry-instrumentation-aws-sdk/src/services/dynamodb.ts

Lines 43 to 45 in de221b0

[SemanticAttributes.DB_STATEMENT]: JSON.stringify(
normalizedRequest.commandInput
),

Overriding the db.statement attribute - in the AWS-SDK instrumentation preRequestHook - seems like a non-optimal ask of the library user (as seems to be the only method available to attempt to minimise the issue currently)

@ramesius ramesius mentioned this issue Oct 20, 2023
Merged
@ramesius
Copy link
Contributor

@ithompson-gp I have addressed DynamoDB in #1748

@JamieDanielson JamieDanielson mentioned this issue Jun 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ramesius @makeavish @ithompson-gp