diff --git a/docs/generated/settings/settings.html b/docs/generated/settings/settings.html
index 5eb4b70ec16e..548c78a9aee4 100644
--- a/docs/generated/settings/settings.html
+++ b/docs/generated/settings/settings.html
@@ -86,6 +86,7 @@
server.oidc_authentication.redirect_url | string | https://localhost:8080/oidc/v1/callback | sets OIDC redirect URL via a URL string or a JSON string containing a required `redirect_urls` key with an object that maps from region keys to URL strings (URLs should point to your load balancer and must route to the path /oidc/v1/callback) |
server.oidc_authentication.scopes | string | openid | sets OIDC scopes to include with authentication request (space delimited list of strings, required to start with `openid`) |
server.rangelog.ttl | duration | 720h0m0s | if nonzero, range log entries older than this duration are deleted every 10m0s. Should not be lowered below 24 hours. |
+server.secondary_tenants.redact_trace.enabled | boolean | true | controls if server side traces are redacted for tenant operations |
server.shutdown.connection_wait | duration | 0s | the maximum amount of time a server waits for all SQL connections to be closed before proceeding with a drain. (note that the --drain-wait parameter for cockroach node drain may need adjustment after changing this setting) |
server.shutdown.drain_wait | duration | 0s | the amount of time a server waits in an unready state before proceeding with a drain (note that the --drain-wait parameter for cockroach node drain may need adjustment after changing this setting. --drain-wait is to specify the duration of the whole draining process, while server.shutdown.drain_wait is to set the wait time for health probes to notice that the node is not ready.) |
server.shutdown.lease_transfer_wait | duration | 5s | the timeout for a single iteration of the range lease transfer phase of draining (note that the --drain-wait parameter for cockroach node drain may need adjustment after changing this setting) |
diff --git a/pkg/server/bench_test.go b/pkg/server/bench_test.go
index 5c70170919e3..c653608ab543 100644
--- a/pkg/server/bench_test.go
+++ b/pkg/server/bench_test.go
@@ -15,6 +15,7 @@ import (
"testing"
"github.com/cockroachdb/cockroach/pkg/roachpb"
+ "github.com/cockroachdb/cockroach/pkg/settings/cluster"
"github.com/cockroachdb/cockroach/pkg/testutils/skip"
"github.com/cockroachdb/cockroach/pkg/util/leaktest"
"github.com/cockroachdb/cockroach/pkg/util/tracing"
@@ -57,7 +58,9 @@ func BenchmarkSetupSpanForIncomingRPC(b *testing.B) {
b.ResetTimer()
for i := 0; i < b.N; i++ {
- _, sp := setupSpanForIncomingRPC(ctx, roachpb.SystemTenantID, ba, tr)
+ _, sp := setupSpanForIncomingRPC(
+ ctx, roachpb.SystemTenantID, ba, tr, cluster.MakeTestingClusterSettings(),
+ )
sp.finish(ctx, nil /* br */)
}
})
diff --git a/pkg/server/node.go b/pkg/server/node.go
index ea3919de2be4..21c5925b0a27 100644
--- a/pkg/server/node.go
+++ b/pkg/server/node.go
@@ -153,6 +153,12 @@ var (
10*time.Second,
settings.NonNegativeDurationWithMaximum(maxGraphiteInterval),
).WithPublic()
+ redactServerTracesForSecondaryTenants = settings.RegisterBoolSetting(
+ settings.SystemOnly,
+ "server.secondary_tenants.redact_trace.enabled",
+ "controls if server side traces are redacted for tenant operations",
+ true,
+ ).WithPublic()
)
type nodeMetrics struct {
@@ -1097,6 +1103,7 @@ type spanForRequest struct {
sp *tracing.Span
needRecording bool
tenID roachpb.TenantID
+ settings *cluster.Settings
}
// finish finishes the span. If the span was recording and br is not nil, the
@@ -1114,17 +1121,15 @@ func (sp *spanForRequest) finish(ctx context.Context, br *roachpb.BatchResponse)
rec = sp.sp.FinishAndGetConfiguredRecording()
if rec != nil {
- // Decide if the trace for this RPC, if any, will need to be redacted. It
- // needs to be redacted if the response goes to a tenant. In case the request
- // is local, then the trace might eventually go to a tenant (and tenID might
- // be set), but it will go to the tenant only indirectly, through the response
- // of a parent RPC. In that case, that parent RPC is responsible for the
- // redaction.
+ // Decide if the trace for this RPC, if any, will need to be redacted. In
+ // general, responses sent to a tenant are redacted unless indicated
+ // otherwise by the cluster setting below.
//
- // Tenants get a redacted recording, i.e. with anything
- // sensitive stripped out of the verbose messages. However,
- // structured payloads stay untouched.
- needRedaction := sp.tenID != roachpb.SystemTenantID
+ // Even if the recording sent to a tenant is redacted (anything sensitive
+ // is stripped out of the verbose messages), structured payloads
+ // stay untouched.
+ needRedaction := sp.tenID != roachpb.SystemTenantID &&
+ redactServerTracesForSecondaryTenants.Get(&sp.settings.SV)
if needRedaction {
if err := redactRecordingForTenant(sp.tenID, rec); err != nil {
log.Errorf(ctx, "error redacting trace recording: %s", err)
@@ -1151,11 +1156,15 @@ func (sp *spanForRequest) finish(ctx context.Context, br *roachpb.BatchResponse)
func (n *Node) setupSpanForIncomingRPC(
ctx context.Context, tenID roachpb.TenantID, ba *roachpb.BatchRequest,
) (context.Context, spanForRequest) {
- return setupSpanForIncomingRPC(ctx, tenID, ba, n.storeCfg.AmbientCtx.Tracer)
+ return setupSpanForIncomingRPC(ctx, tenID, ba, n.storeCfg.AmbientCtx.Tracer, n.storeCfg.Settings)
}
func setupSpanForIncomingRPC(
- ctx context.Context, tenID roachpb.TenantID, ba *roachpb.BatchRequest, tr *tracing.Tracer,
+ ctx context.Context,
+ tenID roachpb.TenantID,
+ ba *roachpb.BatchRequest,
+ tr *tracing.Tracer,
+ settings *cluster.Settings,
) (context.Context, spanForRequest) {
var newSpan *tracing.Span
parentSpan := tracing.SpanFromContext(ctx)
@@ -1199,6 +1208,7 @@ func setupSpanForIncomingRPC(
needRecording: needRecordingCollection,
tenID: tenID,
sp: newSpan,
+ settings: settings,
}
}