Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Obfuscate query values in db.statement for mysql2 instrumentation. #19

Closed
sribalakumar opened this issue Aug 5, 2020 · 3 comments
Closed
Labels
feature New feature or request instrumentation

Comments

@sribalakumar
Copy link
Contributor

sribalakumar commented Aug 5, 2020

The current instrumentation for mysql2 is tracing the full query with all the column values which may contain sensitive information and act as an hindrance for adoption in production environment.

https://github.com/open-telemetry/opentelemetry-ruby/blob/master/instrumentation/mysql2/lib/opentelemetry/instrumentation/mysql2/patches/client.rb#L37

def query(sql, options = {})
  tracer.in_span(
    database_span_name(sql),
    attributes: client_attributes.merge(
      'db.statement' => sql
    ),
    kind: :client
  ) do
    super(sql, options)
  end
end

Also Opentelemetry specification mentions that sensitive information can be excluded from the db.statement span attribute.

It will help us in faster adoption if we can follow a similar approach like Newrelic which has an Obfuscation util to mask values from query statements. https://github.com/newrelic/newrelic-ruby-agent/blob/006dd1bb8174e6f49c495c7e1a8ca543de9ceb93/lib/new_relic/agent/database/obfuscator.rb#L57

@fbogsany
Copy link
Contributor

fbogsany commented Aug 5, 2020

The consensus in OTEP 100 is that this mechanism will be provided in the collector but not necessarily in-process for all languages.

@sribalakumar
Copy link
Contributor Author

The consensus in OTEP 100 is that this mechanism will be provided in the collector but not necessarily in-process for all languages.

@fbogsany Actually I am not able to find such mentions in the link. Infact the internal details section mentions about having a lexer in the opentelemetry-java-instrumentation which will help to replace sensitive values with ?.

Quoting the internal section reference here:

That said, I have worked on sql normalization at three prior APM companies and am working on contributing a simple first version of one for the opentelemetry-auto-instr-java repo. It is based on using a lexer to parse out sql numeric and string literals and replacing them with a ?, exactly as described above and done by many APM products on the market.

@fbogsany
Copy link
Contributor

See the review comments on that issue to get a better sense of what the community is thinking about here.

@fbogsany fbogsany added instrumentation feature New feature or request labels Feb 22, 2021
@plantfansam plantfansam transferred this issue from open-telemetry/opentelemetry-ruby Jun 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request instrumentation
Projects
None yet
Development

No branches or pull requests

3 participants