-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open questions around url.template
and url.full
#1095
Comments
From OTel side, we're more concerned with sensitive data in the query params - #860. The generic scrubbing is not expected to templatize the URL, it's only expected to scrub sensitive params. We don't yet know how it'll look like (blocklist, allowlist, configurable, etc). Sanitized URL may look like this Scrubbing process is not expected to remove all dynamic components from the Users benefit from having both - template and full url - full provides path and safe-to-record properties that are necessary for observability. It's great to also have TL;DR: |
In the perfect world we should have span/metric measurement per each request, i.e. each request would have different template. If it's not always the case, then I'd say |
Does this mean that the addition of Regarding
The implementation we are planning for .NET will omit both on redirects. I still think that |
Correct,
|
So there would be no information about the URL for redirects? Also, which span do you refer to when talking about redirects:
|
There is no such span in
I meant the auto-redirect span(s) following the initial
Actually, we are considering multiple sanitization mechanisms for .NET 9. One of them is to replace Note that currently no attributes are emitted for the http spans, adding them is part of dotnet/runtime#93019. I would only consider adding |
So If I understand correctly:
there will be multiple modes allowing to:
I'd like to suggest the following:
Essentially, don't consider url and template as mutually exclusive - they should be treated independently. |
Yes, you understood it correctly.
Building that string does not feel to be worthy of the cost, it would be simpler just to emit
Do you mean by this that if a template is provided by the user, we should only add it as
With proper usage, url and/or template would be present in most cases. Redirections are very rare in server to server communication. If they happen during a strict logging setup, the spans would still indicate their presence. Users can switch to less restrictive logging modes to debug them. |
By 'template' I assume this means only strings that we have a specific expectation are low cardinality right? For example if we had some hypothetical API like this:
Users could use that API to give any string they wanted, not necessarily a low cardinality one. I assume that string would not count as a template and we should log it as the sanitized url.full, not url.template?
I'm not sure what determines whether we can or can't? It feels like the spec implies url.template should relate to the URL the request was sent to, but exactly what is allowable and who is being proposed to enforce that relationship wasn't clear to me. A couple examples:
|
having
|
Yes, there is no relationship between |
I don't know where the assumption about server applications (you can do .NET client code) or that redirects are rare is coming from. It's common to do redirects to regional endpoints, we have some services in Azure that do redirection to other services e.g. to object store to download something. I don't know how .NET will allow users to provide the |
@noahfalk As for relationship between the URL itself and the template - there is no requirement or enforcement for them to be strictly related. Could you please point to some things in the spec that feel wrong/insufficient?
|
BTW, is there a plan to add |
That answered it nicely, thanks! As for my confusion with the spec, its mostly because the spec doesn't say this. If you add similar text to the spec clarifying that the string can be anything and its completely user responsibility to set it and interpret it that covers most of it. I think it also would be nice one way or another to recommend whether url.template the user specifies for the initial request should be included on redirects.
I just made up a random name so I don't expect the API will be named that, but yes @antonfirsov is investigating APIs in that space. Given that url.template is currently marked experimental I suggested it might be more appropriate that our API for now is just about sanitizing the URL in url.full and url.template will be handled separately once it is considered stable in the future. |
thanks! // GET http://abc.com/v1/accounts/43
Mono<Account> result = client.get()
.uri("/accounts/{id}", 43)
.exchange()
.then(response -> response.bodyToMono(Account.class)); We probably should do a better job documenting it, but OTel semconv does not apply any normative requirements to user input. I agree on the redirect - we should clarify it.
One option to solve it is to let users specify both - the attribute name and the value. There is a common ask from users to be able enrich the HTTP span with something (standard or app-specific). It'd be nice for users to be able to do something like var httpRequest = new ...();
httpRequest.SetTelemetryContext({{"url.template":"/users/{id}"}, {"foo": "bar"}}) this removes responsibility from the native HTTP instrumentation to populate or sanitize these extra attributes. Related to open-telemetry/oteps#207 - OTel might define a common mechanism like this in the future. |
This looks very similar to what we call enrichment (except the sanitization part). Enrichment is already supported for metrics in .NET and we plan to add support for distributed tracing. |
Nice! Is it static or dynamic enrichment? |
Dynamic enrichment. Its quietly hiding out here: https://source.dot.net/#System.Net.Http/System/Net/Http/Metrics/HttpMetricsEnrichmentContext.cs,78 Originally we were expecting the Microsoft.Extensions libraries were going to build some higher level API support over the top of it but that didn't happen in .NET 8 at least. The underlying mechanism exists now but isn't publicized much. |
Cool! So effectively .NET does not have to do anything special to support |
.NET 8 for metrics yes, .NET 9 conditional on enrichment for tracing APIs getting completed :) |
@antonfirsov @noahfalk thank you for the context and all the questions! I created #1143 to clarify redirects. Is there something else here or could we close the issue? |
I'm not sure I see the connection between in my view:
|
I think @antonfirsov means it is possible for those two concepts to be conflated because one possible way to generate the value for url.full is reuse the same value as url.template. In practice making a string low-cardinality has the effect of removing sensitive data. I'm not aware the spec says anything that is specifically misleading. I think its a suggestion that we could make some proactive clarifications about how the goals of redacted url.full differ from url.template and why you might want each attribute to have a different value even though they don't have to be different. |
I understand that URL sanitization and making URL as a low-cardinality dimension are two seemingly different requirements. However, I think that from the perspective of OTel they should be kept separate. But I am not so sure, if in reality, users will want to separately handle url redaction and url template setting, and in even worse case, handle it per telemetry pillar - separately for metrics, separately for traces, by using pillar-specific enrichment. I think that it is safe to say that in most cases, setting a low-cardinality template for URL (or redirect URL) could be considered as a way of removing sensitive data. If users want to have the low cardinality template, and redact the URL differently i.e. by doing a one-way hashing of the sensitive data, it would be great to have that option to handle these cases separately. But in both cases, users should not be forced to set url template more than once for a given URL (in particular - they should not be forced to enrich url.template for metrics, traces, and potentially even for logs, separately. Even in OTel, the low-cardinality attribute is defined as part of "URL" scope, so semantically, it is a piece of information attached to the URL, which is reused across pillars. |
I believe we reached conclusions here, closing. |
Area(s)
area:http
Is your change request related to a problem? Please describe.
#675 introduced a new http attribute
url.template
, which is supposed to be a low-cardinality variant ofurl.full
, however I see several open questions around the expected behavior ofuri.template
in regards of implementation challanges and it's relation tourl.full
.From .NET's HttpClient instrumentation POV we would need to have these questions resolved and the specification adjusted before considering implementing the attribute.
Relationship with
url.full
According to the
uri.full
specIn my understanding an ideal scrubbing implementation would make
url.full == url.template
. If this is the case, do we still need both properties? If this is not the case, how exactly do we imagineurl.full
to look like after scrubbing?url.template
has been introduced to have a low cardinality url attribute, but does it mean that we are ok keepingurl.full
high-cardinality? Moreover, if an instrumented library is unable to scrub sensitive data is it the right choice to defineurl.full
asRequired
from privacy POV?Wouldn't it be wiser to rather merge the two properites and state that if an implementation is enlightened to templatize/sanitize
url.full
it should be emitted in a template form?Redirects
According to the http client span spec
in case a user provides a
url.template
and a redirect happens, what value do we expect to be logged forurl.template
for the redirect span? If the scrubbing mechanism forurl.full
is based on the template, what do we expect to be logged inurl.full
?Describe the solution you'd like
One possible resolution of the listed problems is to define a standard templating syntax, allowing instrumented libraries to pattern-match a list of pre-defined templates to the actual uri, and log the template in
url.full
if a match is found. Do not logurl.full
, or log a placeholder value otherwise.Another, simpler and cheaper solution is to:
url.full
for the first request.url.full
for redirects or log a placeholder value.I don't see value keeping
url.full
andurl.template
separate with neither of my proposals. Moreover, regardless of the solution we pick, I'd recommend to makeurl.full
Conditionally Required
, allowing implementations to omit it if there is no scrubbing mechanism implemented./cc @klauco @trask @lmolkova @joaopgrassi
The text was updated successfully, but these errors were encountered: