Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(mongodb): add db statement serializer config #626

Merged
merged 12 commits into from
Aug 31, 2021
Merged

feat(mongodb): add db statement serializer config #626

merged 12 commits into from
Aug 31, 2021

Conversation

nozik
Copy link
Contributor

@nozik nozik commented Aug 17, 2021

Which problem is this PR solving?

  • The payload for insert operations is currently explicitly excluded from being collected. It would be useful to collect it for monitoring, observability, security and many other use cases.

Short description of the changes

  • Add a flag (disabled by default) that allows collecting the insert payload.

@nozik nozik requested a review from a team August 17, 2021 10:18
@blumamir
Copy link
Member

blumamir commented Aug 17, 2021
edited
Loading

wonder why insert statement was not collected vs update statement which always does. guess the intention was not to leak sensitive information via span attributes, but then it should probably include update as well?

@codecov
Copy link

codecov bot commented Aug 17, 2021
edited
Loading

Codecov Report

Merging #626 (86476d2) into main (aec1518) will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #626      +/-   ##
==========================================
+ Coverage   96.68%   96.70%   +0.01%     
==========================================
  Files          13       15       +2     
  Lines         634      697      +63     
  Branches      124      128       +4     
==========================================
+ Hits          613      674      +61     
- Misses         21       23       +2
Impacted Files Coverage Δ
...tapackages/auto-instrumentations-node/src/utils.ts 96.77% <0.00%> (ø)
...ages/auto-instrumentations-node/test/utils.test.ts 96.87% <0.00%> (ø)

@nozik
Copy link
Contributor Author

nozik commented Aug 17, 2021

@blumamir Sensitive information may appear anywhere - even in an HTTP request URL - and also in an update statement, as you mentioned

@blumamir
Copy link
Member

@blumamir Sensitive information may appear anywhere - even in an HTTP request URL - and also in an update statement, as you mentioned

You are right, I don't know what was the initial intention for separating inset and update. I know in other instrumentations it was raised as an issue that instrumentation should be careful not to leak sensitive info via the db statement, but that ofcourse is no guarantee, only applying common sense as to where sensitive data more commonly reside.

With regards to the update-insert issue, I feel that adding a new instrumentation option that has the name insert in it may be something that will require a breaking change in the future if insert and update should be handled the same way.
Another approach that is implemented in ioredis and redis instrumentations is to use dbStatementSerializer option with a default implementation, which the user can override to include or format the statement attribute with custom logic according to the needs (a bit similar to the hooks that are used to apply customizations on attributes).

Anyway, these are all thoughts and suggestions, but other people might have different opinion :)

@nozik
Copy link
Contributor Author

nozik commented Aug 17, 2021

@blumamir I generally agree; I would only add that we're dealing with sensitive information anyway - it's unavoidable and has to be addressed somehow (e.g., provide a mechanism for doing that as part of OTEL, regardless of the source of the data). I tend to agree that the best solution would be breaking the existing behavior of the instrumentation and avoid the distinction between insert/update with a mechanism similar to the DB statement serializer., but let's hear other opinions on that :)

@vmarchaud
Copy link
Member

I tend to agree that the best solution would be breaking the existing behavior of the instrumentation and avoid the distinction between insert/update with a mechanism similar to the DB statement serializer., but let's hear other opinions on that :)

Well i wrote this code and don't remember why i did this, i don't think it was to avoid leaking data since we already use enhancedDatabaseReporting for that. I would be in favor of removing the logic completly

@nozik
Copy link
Contributor Author

nozik commented Aug 18, 2021

@vmarchaud So I'll go ahead and remove this logic and add the ability to override the existing db statement serialization with a dbStatementSerializer config. Agreed?

@vmarchaud
Copy link
Member

Agreed?

Yes :)

@nozik nozik force-pushed the collect_mongo_insert_statement branch 3 times, most recently from 20f2e44 to cfb8486 Compare August 18, 2021 10:15
@nozik nozik force-pushed the collect_mongo_insert_statement branch from cfb8486 to 8362ac7 Compare August 18, 2021 10:21
@nozik
Copy link
Contributor Author

nozik commented Aug 18, 2021

@vmarchaud Done :)

@dyladan dyladan changed the title feat: collect mongodb insert statements feat(mongodb): add db statement serializer config Aug 18, 2021
@nozik nozik force-pushed the collect_mongo_insert_statement branch from 137b330 to 2b6eda7 Compare August 18, 2021 16:11
@nozik nozik force-pushed the collect_mongo_insert_statement branch from 3b61c55 to 906ce3b Compare August 19, 2021 11:20
@nozik nozik requested a review from dyladan August 19, 2021 13:50
@dyladan dyladan added the enhancement New feature or request label Aug 30, 2021
obecny
obecny approved these changes Aug 30, 2021
View reviewed changes
Copy link
Member

@obecny obecny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, one suggestion

plugins/node/opentelemetry-instrumentation-mongodb/src/instrumentation.ts Outdated
this._config.dbStatementSerializer ||
this._defaultDbStatementSerializer.bind(this);

if (typeof dbStatementSerializer === 'function') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should do this checking a bit earlier for example

const dbStatementSerializer: DbStatementSerializer =
      typeof this._config.dbStatementSerializer === 'function' ? this._config.dbStatementSerializer :
      this._defaultDbStatementSerializer.bind(this);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@nozik nozik force-pushed the collect_mongo_insert_statement branch from 05ddd96 to fbb5bdc Compare August 30, 2021 18:15
@vmarchaud
Copy link
Member

@nozik CI is failing because of an unused import:

src/instrumentation.ts:44:1 - error TS6133: 'DbStatementSerializer' is declared but its value is never read.

44 import { DbStatementSerializer } from './types';

@nozik nozik force-pushed the collect_mongo_insert_statement branch from fbb5bdc to aa00598 Compare August 30, 2021 19:19
@nozik
Copy link
Contributor Author

nozik commented Aug 31, 2021

@obecny @vmarchaud Done and done :)

@dyladan
Copy link
Member

dyladan commented Aug 31, 2021

This is ready for merge but I don't have access to write to your branch so I can't update the PR to merge it. Please update the branch or give maintainers write acess to it.

@nozik
Copy link
Contributor Author

nozik commented Aug 31, 2021

@dyladan Done

@blumamir
Copy link
Member

looks like lint now fails due to legitimate reasons.
@nozik - please run lint:fix to resolve

@nozik nozik force-pushed the collect_mongo_insert_statement branch from 4fa8843 to 251bdb2 Compare August 31, 2021 12:55
@nozik
Copy link
Contributor Author

nozik commented Aug 31, 2021

@blumamir 👍

@dyladan dyladan merged commit 8584432 into open-telemetry:main Aug 31, 2021
@nozik nozik deleted the collect_mongo_insert_statement branch September 26, 2021 05:13
@dyladan dyladan mentioned this pull request Feb 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MSNev MSNev MSNev approved these changes

@blumamir blumamir blumamir approved these changes

@vmarchaud vmarchaud vmarchaud approved these changes

@dyladan dyladan dyladan approved these changes

@obecny obecny obecny approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@nozik @blumamir @vmarchaud @dyladan @obecny @MSNev