From 50febb359ea4d144517a952570c0b23e40e2c5fa Mon Sep 17 00:00:00 2001 From: Israel Blancas Date: Thu, 27 Nov 2025 15:32:54 +0100 Subject: [PATCH] Add option to URL and DB sanitization configs Signed-off-by: Israel Blancas --- .chloggen/44228.yaml | 27 +++ processor/redactionprocessor/README.md | 21 +- .../redactionprocessor/internal/db/config.go | 1 + .../redactionprocessor/internal/url/config.go | 2 + processor/redactionprocessor/processor.go | 31 ++- .../redactionprocessor/processor_test.go | 207 ++++++++++++++++++ 6 files changed, 284 insertions(+), 5 deletions(-) create mode 100644 .chloggen/44228.yaml diff --git a/.chloggen/44228.yaml b/.chloggen/44228.yaml new file mode 100644 index 0000000000000..257efc6c49a1c --- /dev/null +++ b/.chloggen/44228.yaml @@ -0,0 +1,27 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: 'enhancement' + +# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog) +component: processor/redaction + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Add `sanitize_span_name` option to URL and DB sanitization configs. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +issues: [44228] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: + +# If your change doesn't affect end users or the exported elements of any package, +# you should instead start your pull request title with [chore] or use the "Skip Changelog" label. +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [] diff --git a/processor/redactionprocessor/README.md b/processor/redactionprocessor/README.md index 6e2fa4eedcc5c..df397d2a3c13b 100644 --- a/processor/redactionprocessor/README.md +++ b/processor/redactionprocessor/README.md @@ -108,6 +108,10 @@ processors: enabled: true # attributes is a list of attribute keys that contain URLs to be sanitized attributes: ["http.url", "url"] + # sanitize_span_name controls whether span names should be sanitized for URLs (default: true) + # When enabled, span names containing "/" will be sanitized to reduce cardinality + # Set to false to disable span name sanitization while keeping attribute sanitization active + sanitize_span_name: true ``` Refer to [config.yaml](./testdata/config.yaml) for how to fit the configuration @@ -138,7 +142,15 @@ are `md5`, `sha1` and `sha3` (SHA-256). The `url_sanitizer` configuration enables sanitization of URLs in specified attributes by removing potentially sensitive information like UUIDs, timestamps, and other non-essential path segments. This is particularly useful for reducing cardinality in telemetry data while preserving the essential parts of URLs for troubleshooting. -Additionally, URL sanitization automatically applies to span names for client and server span types that contain "/" characters. This helps reduce cardinality issues caused by high-variability URL paths in span names while preserving the essential routing information needed for observability. +### Span Name Sanitization + +By default, when URL sanitization is enabled, span names for client and server span types that contain "/" characters are automatically sanitized. This helps reduce cardinality issues caused by high-variability URL paths in span names while preserving essential routing information. + +You can control this behavior using the `sanitize_span_name` option: +- `true` (default): Span names will be sanitized along with attributes +- `false`: Only attributes are sanitized, span names remain unchanged + +This option is available independently for both URL and database sanitization, allowing fine-grained control over which span names should be redacted. For example, if `notes` is on the list of allowed keys, then the `notes` attribute is retained. However, if there is a value such as a credit card @@ -165,6 +177,10 @@ processors: # Database sanitization configuration db_sanitizer: + # sanitize_span_name controls whether span names should be sanitized for database queries (default: true) + # When enabled, span names will be obfuscated to remove sensitive query details + # Set to false to disable span name sanitization while keeping attribute sanitization active + sanitize_span_name: true sql: enabled: true attributes: ["db.statement", "db.query"] @@ -191,5 +207,8 @@ The database sanitizer will: - Sanitize MongoDB queries and JSON payloads - Process only specified attributes if provided - Preserve query structure while removing sensitive data +- Sanitize span names containing database queries (can be controlled with `sanitize_span_name`) + +By default, database query sanitization also applies to span names for client span types. You can disable this behavior by setting `sanitize_span_name: false` in the `db_sanitizer` configuration, which allows you to keep original database query span names while still sanitizing the query values in attributes. This provides an additional layer of protection when collecting telemetry that includes database operations. diff --git a/processor/redactionprocessor/internal/db/config.go b/processor/redactionprocessor/internal/db/config.go index 8bfc285031567..63c3b519ed331 100644 --- a/processor/redactionprocessor/internal/db/config.go +++ b/processor/redactionprocessor/internal/db/config.go @@ -11,6 +11,7 @@ type DBSanitizerConfig struct { MongoConfig MongoConfig `mapstructure:"mongo"` OpenSearchConfig OpenSearchConfig `mapstructure:"opensearch"` ESConfig ESConfig `mapstructure:"es"` + SanitizeSpanName *bool `mapstructure:"sanitize_span_name"` } type SQLConfig struct { diff --git a/processor/redactionprocessor/internal/url/config.go b/processor/redactionprocessor/internal/url/config.go index 932b3586b1b28..e74c8ed75746d 100644 --- a/processor/redactionprocessor/internal/url/config.go +++ b/processor/redactionprocessor/internal/url/config.go @@ -7,4 +7,6 @@ type URLSanitizationConfig struct { Enabled bool `mapstructure:"enabled"` // Attributes is the list of attributes that will be sanitized. Attributes []string `mapstructure:"attributes"` + // SanitizeSpanName controls whether span names should be sanitized. + SanitizeSpanName *bool `mapstructure:"sanitize_span_name"` } diff --git a/processor/redactionprocessor/processor.go b/processor/redactionprocessor/processor.go index 65e6c86916e59..369ce2f740a3c 100644 --- a/processor/redactionprocessor/processor.go +++ b/processor/redactionprocessor/processor.go @@ -145,10 +145,10 @@ func (s *redaction) processResourceSpan(ctx context.Context, rs ptrace.ResourceS if s.shouldRedactSpanName(&span) { name := span.Name() - if s.urlSanitizer != nil { + if s.shouldSanitizeSpanNameForURL() { name = s.urlSanitizer.SanitizeURL(name) } - if s.dbObfuscator.HasObfuscators() { + if s.shouldSanitizeSpanNameForDB() { var err error name, err = s.dbObfuscator.Obfuscate(name) if err != nil { @@ -509,7 +509,9 @@ func (s *redaction) shouldRedactKey(k string) bool { } func (s *redaction) shouldRedactSpanName(span *ptrace.Span) bool { - if s.urlSanitizer == nil && !s.dbObfuscator.HasObfuscators() { + shouldSanitizeDB := s.shouldSanitizeSpanNameForDB() + + if !s.shouldSanitizeSpanNameForURL() && !shouldSanitizeDB { return false } spanKind := span.Kind() @@ -518,12 +520,33 @@ func (s *redaction) shouldRedactSpanName(span *ptrace.Span) bool { } spanName := span.Name() - if !strings.Contains(spanName, "/") && !s.dbObfuscator.HasObfuscators() { + if !strings.Contains(spanName, "/") && !shouldSanitizeDB { return false } return !s.shouldAllowValue(spanName) } +func (s *redaction) shouldSanitizeSpanNameForURL() bool { + if s.urlSanitizer == nil { + return false + } + + if s.config.URLSanitization.SanitizeSpanName == nil { + return true + } + return *s.config.URLSanitization.SanitizeSpanName +} + +func (s *redaction) shouldSanitizeSpanNameForDB() bool { + if !s.dbObfuscator.HasObfuscators() { + return false + } + if s.config.DBSanitizer.SanitizeSpanName == nil { + return true + } + return *s.config.DBSanitizer.SanitizeSpanName +} + const ( debug = "debug" info = "info" diff --git a/processor/redactionprocessor/processor_test.go b/processor/redactionprocessor/processor_test.go index 3537295bdbbbf..beec71ae84108 100644 --- a/processor/redactionprocessor/processor_test.go +++ b/processor/redactionprocessor/processor_test.go @@ -2039,3 +2039,210 @@ func TestDBObfuscationSpanName(t *testing.T) { assert.NotEqual(t, "SELECT * FROM cache WHERE key = 'user:123'", outSpan.Name()) }) } + +func TestSanitizeSpanNameFlag(t *testing.T) { + t.Run("URL/default behavior", func(t *testing.T) { + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + URLSanitization: url.URLSanitizationConfig{ + Enabled: true, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("/users/123/profile") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "/users/*/profile", outSpan.Name()) + }) + + t.Run("URL/disabled", func(t *testing.T) { + sanitizeSpanName := false + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + URLSanitization: url.URLSanitizationConfig{ + Enabled: true, + SanitizeSpanName: &sanitizeSpanName, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("/users/123/profile") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "/users/123/profile", outSpan.Name()) + }) + + t.Run("URL/explicitly enabled", func(t *testing.T) { + sanitizeSpanName := true + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + URLSanitization: url.URLSanitizationConfig{ + Enabled: true, + SanitizeSpanName: &sanitizeSpanName, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("/users/123/profile") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "/users/*/profile", outSpan.Name()) + }) + + t.Run("DB/default behavior", func(t *testing.T) { + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + DBSanitizer: db.DBSanitizerConfig{ + SQLConfig: db.SQLConfig{ + Enabled: true, + }, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("SELECT * FROM users WHERE id = 123") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "SELECT * FROM users WHERE id = ?", outSpan.Name()) + }) + + t.Run("DB/disabled", func(t *testing.T) { + sanitizeSpanName := false + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + DBSanitizer: db.DBSanitizerConfig{ + SQLConfig: db.SQLConfig{ + Enabled: true, + }, + SanitizeSpanName: &sanitizeSpanName, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("SELECT * FROM users WHERE id = 123") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "SELECT * FROM users WHERE id = 123", outSpan.Name()) + }) + + t.Run("DB/explicitly enabled", func(t *testing.T) { + sanitizeSpanName := true + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + DBSanitizer: db.DBSanitizerConfig{ + SQLConfig: db.SQLConfig{ + Enabled: true, + }, + SanitizeSpanName: &sanitizeSpanName, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("SELECT * FROM users WHERE id = 123") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "SELECT * FROM users WHERE id = ?", outSpan.Name()) + }) + + t.Run("both URL and DB flags work independently", func(t *testing.T) { + urlSanitizeSpanName := false + dbSanitizeSpanName := false + tc := testConfig{ + config: &Config{ + AllowAllKeys: true, + URLSanitization: url.URLSanitizationConfig{ + Enabled: true, + SanitizeSpanName: &urlSanitizeSpanName, + }, + DBSanitizer: db.DBSanitizerConfig{ + SQLConfig: db.SQLConfig{ + Enabled: true, + }, + SanitizeSpanName: &dbSanitizeSpanName, + }, + }, + } + + inBatch := ptrace.NewTraces() + rs := inBatch.ResourceSpans().AppendEmpty() + ils := rs.ScopeSpans().AppendEmpty() + span := ils.Spans().AppendEmpty() + span.SetName("/api/users/123") + span.SetKind(ptrace.SpanKindClient) + + processor, err := newRedaction(t.Context(), tc.config, zaptest.NewLogger(t)) + require.NoError(t, err) + outTraces, err := processor.processTraces(t.Context(), inBatch) + require.NoError(t, err) + + outSpan := outTraces.ResourceSpans().At(0).ScopeSpans().At(0).Spans().At(0) + assert.Equal(t, "/api/users/123", outSpan.Name()) + }) +}