Obfuscating sensitive attribute values with an Instrumentation extension #4832
-
Hello all, Please do excuse a few noobie questions below :) - really grateful for any guidance! We are looking at creating a custom extension that would allow us to look for sensitive token data in span attributes (by a match against certain regexes) and mask them upfront before exporting to the collector. We are definitely going to evaluate the collector side redaction processor (https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/redactionprocessor) which is in the works - if and when it does get released. Going by https://github.com/open-telemetry/opentelemetry-java-instrumentation/tree/main/examples/extension#i-want-to-edit-some-attributes-that-dont-depend-on-any-db-connection-instance - it seems like for editing attributes in a span, without injecting any special advice and irrespective of the source, one should evaluate creating a custom SpanProcessor. Is that understanding correct? If that's the case, then I was expecting that the regex-match-and-obfuscate would be implemented on span end ..with onEnd we seem to receive a handle to a ReadableSpan that's immutable ( Is there any other approach to modifying any of the attributes within the current span with the intent of masking sensitive parts of the attribute value? Thanks a lot in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
hi @lalitmathwani! you'll want to write a and then in your |
Beta Was this translation helpful? Give feedback.
-
Take a look into this project https://github.com/pajohri/jdotm |
Beta Was this translation helpful? Give feedback.
hi @lalitmathwani!
you'll want to write a
AutoConfigurationCustomizerProvider
that registers a span exporter customizer usingAutoConfigurationCustomizer.addSpanExporterCustomizer()
, and your span exporter customizer can wrap the real exporter with your ownSpanExporter
class that delegates to the real exporter.and then in your
SpanExporter
you can wrap the SpanData (since it's immutable) in your own subclass ofDelegatingSpanData
which does the obfuscation, and pass your subclass down to the real exporter