Clarify if/how enduser.role can have multiple roles #307
Conversation
| @@ -320,7 +320,7 @@ These attributes may be used for any operation with an authenticated and/or auth | |||
| | Attribute | Type | Description | Examples | Requirement Level | | |||
| |---|---|---|---|---| | |||
| | `enduser.id` | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | Recommended | | |||
| | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | Recommended | | |||
| | `enduser.role` | string | Actual/assumed role(s) the client is making the request under extracted from token or application security context. | `admin, superadmin` | Recommended | | |||
There was a problem hiding this comment.
another option is to change it to enduser.roles and define it as string[]
There was a problem hiding this comment.
Yeah that'd be clearer. enduser.scope could also be pluralized and changed to string[]
Do you know off-hand if this change can/should have a transformation in schema-next.yaml? I don't see other examples of a rename that also goes from string -> string[], and didn't see the schema documentation mention if/how data type changes are handled
There was a problem hiding this comment.
I found the schema transformation processor and will take a look at how this scenario's handled
There was a problem hiding this comment.
the processor just renames the attribute - no transformation to the value's done
lmk if the breaking change to string[] makes sense
|
In ECS, there's the Regarding roles: In ECS the corresponding field is |
|
This PR was marked stale due to lack of activity. It will be closed in 7 days. |
|
Hi @swar8080 ! We changed how the CHANGELOG.md is managed. Please take a look at https://github.com/open-telemetry/semantic-conventions/blob/main/CONTRIBUTING.md#adding-a-changelog-entry to see what needs to be done. Sorry for the disruption. |
|
This PR was marked stale due to lack of activity. It will be closed in 7 days. |
|
Closed as inactive. Feel free to reopen if this PR is still being worked on. |
|
this should be addressed by #731, which deprecates |
Changes
Some role-based access control implementations allow assuming multiple roles. For example, in Java's Spring Security framework
Let me know if it makes sense to clarify that multiple roles are possible in the enduser.role attribute documentation
I noticed this when looking at a request to capture
enduser.rolewith spring security auto-instrumentation (open-telemetry/opentelemetry-java-instrumentation#9400)Merge requirement checklist