Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update enduser domain and add enduser.authentication.id #1456

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
+103 −55
Open

Update enduser domain and add enduser.authentication.id #1456

Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
3e1655f
Add authentication to enduser namespace
heyams Oct 7, 2024
6f858a2
Fix yamllint
heyams Oct 7, 2024
07cb1eb
Fix weaver
heyams Oct 7, 2024
ee0970f
Update markdowns
heyams Oct 7, 2024
38d8687
Generate gh issue
heyams Oct 7, 2024
b1cdc13
Fix policies-check and compatibility
heyams Oct 7, 2024
068a822
Update
heyams Oct 22, 2024
e05d7a3
Merge branch 'main' into heya/add-enduser-namespace
heyams Oct 22, 2024
c17bec6
Update changelog
heyams Oct 22, 2024
0fa3ffc
Merge branch 'heya/add-enduser-namespace' of https://github.com/heyam…
heyams Oct 22, 2024
d0e26d5
Update
heyams Oct 22, 2024
614a52e
Fix yamllint
heyams Oct 22, 2024
a499237
Fix
heyams Oct 22, 2024
5bfbfe2
Fix trailing spaces
heyams Oct 22, 2024
5f883d0
Use 'make generate-gh-issue-tempaltes
heyams Oct 23, 2024
13919ed
Update
heyams Nov 22, 2024
272ded3
Merge remote-tracking branch 'upstream/main' into heya/add-enduser-na…
heyams Nov 22, 2024
5c0d6d3
Update
heyams Nov 22, 2024
ff85999
Fix identity not found
heyams Nov 22, 2024
d626e6c
Update
heyams Nov 22, 2024
cb32498
Fix yamllint
heyams Nov 22, 2024
1c53711
Fix backward compat
heyams Nov 22, 2024
51d0c99
Rename enduser.id to enduser.pseudo.id
heyams Dec 10, 2024
5d10c08
Merge remote-tracking branch 'upstream/main' into heya/add-enduser-na…
heyams Dec 10, 2024
949bae8
Update md
heyams Dec 10, 2024
9778890
Update
heyams Dec 10, 2024
23bb6fe
Update attributes.md
heyams Jan 13, 2025
f0623df
Address comments
heyams Jan 13, 2025
435fc1b
Make update
heyams Jan 13, 2025
ca87ccc
Fix yamllint
heyams Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 1 addition & 28 deletions docs/general/attributes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,34 +414,7 @@ system. It is expected this information would be propagated unchanged from node-
using the Baggage mechanism. These attributes should not be used to record system-to-system
authentication attributes.

Examples of where the `enduser.id` value is extracted from:

| Authentication protocol | Field or description |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to keep this table - it actually explains what the enduser.id is - we don't provide an explanation like this anymore. Is this information still accurate and can it be used to capture enduser.id ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

enduser.id has been replaced with 'enduser.pseudo.id`. i don't think it makes sense to keep it.

| :---------------------- | :------------------------------ |
| [HTTP Basic/Digest Authentication] | `username` |
| [OAuth 2.0 Bearer Token] | [OAuth 2.0 Client Identifier] value from `client_id` for the [OAuth 2.0 Client Credentials Grant] flow and `subject` or `username` from get token info response for other flows using opaque tokens. |
| [OpenID Connect 1.0 IDToken] | `sub` |
| [SAML 2.0 Assertion] | `urn:oasis:names:tc:SAML:2.0:assertion:Subject` |
| [Kerberos] | `PrincipalName` |

| Framework | Field or description |
| :---------------------- | :------------------------------ |
| [JavaEE/JakartaEE Servlet] | `javax.servlet.http.HttpServletRequest.getUserPrincipal()` |
| [Windows Communication Foundation] | `ServiceSecurityContext.Current.PrimaryIdentity` |

[SAML 2.0 Assertion]: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
[HTTP Basic/Digest Authentication]: https://tools.ietf.org/html/rfc2617
[OAuth 2.0 Bearer Token]: https://tools.ietf.org/html/rfc6750
[OAuth 2.0 Client Identifier]: https://tools.ietf.org/html/rfc6749#section-2.2
[OAuth 2.0 Client Credentials Grant]: https://tools.ietf.org/html/rfc6749#section-4.4
[OpenID Connect 1.0 IDToken]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
[Kerberos]: https://tools.ietf.org/html/rfc4120
[JavaEE/JakartaEE Servlet]: https://jakarta.ee/specifications/platform/8/apidocs/javax/servlet/http/HttpServletRequest.html
[Windows Communication Foundation]: https://docs.microsoft.com/dotnet/api/system.servicemodel.servicesecuritycontext?view=netframework-4.8

Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by
default and then provide a configuration parameter to turn on retention for use cases where the
information is required and would not violate any policies or regulations.
`enduser.pseudo.id` attribute can be set by a specific client component, e.g. through a cookie out of the Span's HTTP request headers. Client side application should be able to stamp this attribute on any telemetry item emitted by the application whenever this cookie is available.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lmolkova please let me know your thoughts on this statement.

Copy link
Contributor

@lmolkova lmolkova Jan 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if my suggestion is factually correct - please adjust it, but I'd phrase it differently - something along the following lines:

Enduser attributes capture end user identity. They are likely to contain PII and should be populated, processed, and stored with caution.
Information about the end user is usually available on the client side (in a mobile or browser application). Enduser attributes are populated by the user application in coordination with OpenTelemetry SDK. Some OpenTelemetry distributions auto-collect this information from HTTP cookies.
When user information is available, it's RECOMMENDED to add it to all spans and events emitted in the scope of operation initiated by this user.

Application in coordination with OpenTelemetry SDK and Distro MAY propagate user information from the client application to the front end and across different backend services using custom HTTP cookies and/or Baggage.

Enduser information is collected and populated manually by user application or specialized components,
other instrumentations such as HTTP or RPC are not expected to populate these attributes by default.

<!-- TODO: add link to the implementation in otel-js-contirb -->

I would also put it above the table.

I think it should also replace the content of lines 413-415 above

It is expected this information would be propagated unchanged from node-to-node within the system
using the Baggage mechanism. These attributes should not be used to record system-to-system
authentication attributes.


## General thread attributes

Expand Down
Loading