From 7da6842f9d647a6a47197a7f0a7bcc266bb40ceb Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Tue, 28 May 2024 22:32:45 +0200 Subject: [PATCH] [BREAKING] Add ECS user namespace (#731) Co-authored-by: Liudmila Molkova --- .chloggen/user_ns.yaml | 22 +++++++++++ .github/ISSUE_TEMPLATE/bug_report.yaml | 2 +- .github/ISSUE_TEMPLATE/change_proposal.yaml | 2 +- .github/ISSUE_TEMPLATE/new-conventions.yaml | 2 +- docs/attributes-registry/README.md | 1 + docs/attributes-registry/enduser.md | 14 +++---- docs/attributes-registry/user.md | 22 +++++++++++ docs/general/attributes.md | 6 +-- model/registry/deprecated/enduser.yaml | 24 +++++++++++ model/registry/enduser.yaml | 29 -------------- model/registry/user.yaml | 44 +++++++++++++++++++++ schema-next.yaml | 6 +++ 12 files changed, 132 insertions(+), 42 deletions(-) create mode 100755 .chloggen/user_ns.yaml create mode 100644 docs/attributes-registry/user.md create mode 100644 model/registry/deprecated/enduser.yaml delete mode 100644 model/registry/enduser.yaml create mode 100644 model/registry/user.yaml diff --git a/.chloggen/user_ns.yaml b/.chloggen/user_ns.yaml new file mode 100755 index 0000000000..878e93a435 --- /dev/null +++ b/.chloggen/user_ns.yaml @@ -0,0 +1,22 @@ +# Use this changelog template to create an entry for release notes. +# +# If your change doesn't affect end users you should instead start +# your pull request title with [chore] or use the "Skip Changelog" label. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: new_component + +# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) +component: user + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: BREAKING - deprecate `enduser` in favor of a new `user` namespace. Add more `user` attributes. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +# The values here must be integers. +issues: [731] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 4aefd034cc..33cf248bb7 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -34,7 +34,6 @@ body: - area:device - area:disk - area:dns - - area:enduser - area:error - area:event - area:exception @@ -71,6 +70,7 @@ body: - area:tls - area:url - area:user-agent + - area:user - area:webengine # End semconv area list - type: textarea diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 2af8b08f70..4429b696e6 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -27,7 +27,6 @@ body: - area:device - area:disk - area:dns - - area:enduser - area:error - area:event - area:exception @@ -64,6 +63,7 @@ body: - area:tls - area:url - area:user-agent + - area:user - area:webengine # End semconv area list - type: textarea diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index 0753cd8184..1a504ea5ce 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -36,7 +36,6 @@ body: - area:device - area:disk - area:dns - - area:enduser - area:error - area:event - area:exception @@ -73,6 +72,7 @@ body: - area:tls - area:url - area:user-agent + - area:user - area:webengine # End semconv area list - type: textarea diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index a9253c650b..2aa1b98447 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -83,6 +83,7 @@ Currently, the following namespaces exist: - [Thread](thread.md) - [TLS](tls.md) - [URL](url.md) +- [User](user.md) - [User Agent](user-agent.md) - [Webengine](webengine.md) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 9fa388eeac..66ba5a0d1e 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -6,12 +6,12 @@ # Enduser -## Enduser Attributes +## Enduser Deprecated Attributes -This document defines attributes for operations with an authenticated and/or authorized enduser. +Describes deprecated enduser attributes. Complete enduser namespace has been deprecated -| Attribute | Type | Description | Examples | Stability | -| --------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | ---------------------------------------------------------------- | -| `enduser.id` | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +| --------------- | ------ | ---------------------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------- | +| `enduser.id` | string | Deprecated, use `user.id` instead. | `username` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.id` attribute. | +| `enduser.role` | string | Deprecated, use `user.roles` instead. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.roles` attribute. | +| `enduser.scope` | string | Deprecated, no replacement at this time. | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/attributes-registry/user.md b/docs/attributes-registry/user.md new file mode 100644 index 0000000000..41a9d259c8 --- /dev/null +++ b/docs/attributes-registry/user.md @@ -0,0 +1,22 @@ + + + + + +# User + +## User Attributes + +Describes information about the user. + +| Attribute | Type | Description | Examples | Stability | +| ---------------- | -------- | ---------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `user.email` | string | User email address. | `a.einstein@example.com` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `user.full_name` | string | User's full name | `Albert Einstein` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `user.hash` | string | Unique user hash to correlate information for a user in anonymized form. [1] | `364fc68eaf4c8acec74a4e52d7d1feaa` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `user.id` | string | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `user.name` | string | Short name or login/username of the user. | `a.einstein` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `user.roles` | string[] | Array of user roles at the time of the event. | `admin`; `reporting_user` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | + +**[1]:** Useful if `user.id` or `user.name` contain confidential information and cannot be used. diff --git a/docs/general/attributes.md b/docs/general/attributes.md index a3030171ec..d6a848bdf9 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -408,9 +408,9 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `user.id` instead. | `username` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.id` attribute. | +| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `user.roles` instead. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.roles` attribute. | +| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Deprecated, no replacement at this time. | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/model/registry/deprecated/enduser.yaml b/model/registry/deprecated/enduser.yaml new file mode 100644 index 0000000000..8908ec8fbd --- /dev/null +++ b/model/registry/deprecated/enduser.yaml @@ -0,0 +1,24 @@ +groups: + - id: registry.enduser.deprecated + prefix: enduser + type: attribute_group + brief: Describes deprecated enduser attributes. Complete enduser namespace has been deprecated + attributes: + - id: id + type: string + stability: experimental + deprecated: Replaced by `user.id` attribute. + brief: "Deprecated, use `user.id` instead." + examples: 'username' + - id: role + type: string + stability: experimental + deprecated: Replaced by `user.roles` attribute. + brief: "Deprecated, use `user.roles` instead." + examples: 'admin' + - id: scope + type: string + stability: experimental + deprecated: Removed. + brief: "Deprecated, no replacement at this time." + examples: 'read:message, write:files' diff --git a/model/registry/enduser.yaml b/model/registry/enduser.yaml deleted file mode 100644 index 656f36d682..0000000000 --- a/model/registry/enduser.yaml +++ /dev/null @@ -1,29 +0,0 @@ -groups: - - id: registry.enduser - prefix: enduser - type: attribute_group - brief: > - This document defines attributes for operations with an authenticated and/or authorized enduser. - attributes: - - id: id - type: string - stability: experimental - brief: > - Username or client_id extracted from the access token or - [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) - header in the inbound request from outside the system. - examples: 'username' - - id: role - type: string - stability: experimental - brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' - examples: 'admin' - - id: scope - type: string - stability: experimental - brief: > - Scopes or granted authorities the client currently possesses extracted from token - or application security context. The value would come from the scope associated - with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) - or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' diff --git a/model/registry/user.yaml b/model/registry/user.yaml new file mode 100644 index 0000000000..98792de275 --- /dev/null +++ b/model/registry/user.yaml @@ -0,0 +1,44 @@ +groups: + - id: registry.user + prefix: user + type: attribute_group + brief: "Describes information about the user." + attributes: + - id: email + type: string + stability: experimental + brief: > + User email address. + examples: ['a.einstein@example.com'] + - id: full_name + type: string + stability: experimental + brief: > + User's full name + examples: ['Albert Einstein'] + - id: hash + type: string + stability: experimental + brief: > + Unique user hash to correlate information for a user in anonymized form. + note: > + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + examples: ['364fc68eaf4c8acec74a4e52d7d1feaa'] + - id: id + type: string + stability: experimental + brief: > + Unique identifier of the user. + examples: ['S-1-5-21-202424912787-2692429404-2351956786-1000'] + - id: name + type: string + stability: experimental + brief: > + Short name or login/username of the user. + examples: ['a.einstein'] + - id: roles + type: string[] + stability: experimental + brief: > + Array of user roles at the time of the event. + examples: ["admin", "reporting_user"] diff --git a/schema-next.yaml b/schema-next.yaml index 519df3f8fb..32ab76d055 100644 --- a/schema-next.yaml +++ b/schema-next.yaml @@ -36,6 +36,12 @@ versions: - db.client.connections.create_time - db.client.connections.wait_time - db.client.connections.use_time + all: + changes: + # https://github:com/open-telemetry/semantic-conventions/pull/731/ + - rename_attributes: + attribute_map: + enduser.id: user.id 1.25.0: spans: