LukeMathWalker/tracing-actix-web

Is it possible to remove some of the default fields from the root span builder?

stefan-vatov opened this issue · 4 comments

stefan-vatov commented

Hi there,

Awesome job with this library and the book as well, it helps a ton!

I have a question regarding the root span macro and builder. The default span (and the macro) adds a bunch of fields, most of them beneficial, but things like http.client_ip and the IP could go into GDPR territory. After some looking around in the code, I came up on the root_span! macro and the root span builder. In the example, in the repo, you add fields to the root span but don't remove any.

Building a custom root span and passing in http.client_ip with x works in overriding, but it doesn't remove the field. Also, if there is something that's not supposed to be in the logs in the headers, not sure how that could be removed.

LukeMathWalker commented

This is currently not possible nor, unfortunately, easily achievable. You already spotted the workaround I was going to suggest - set the "offending" field to a dummy value.
Another option is to filter the attribute out in your tracing subscriber.

Also, if there is something that's not supposed to be in the logs in the headers, not sure how that could be removed.

I am not sure I follow here. What are you referring to precisely?

stefan-vatov commented

Thanks for the quick reply!

The dummy values work. I think I'll go with that as the workaround.

Another option is to filter the attribute out in your tracing subscriber.

Do you have any examples on this one? Tried filtering, but doesn't that filter out the whole span for the layer? Maybe I'm getting confused here, but when I tried it out, I didn't find a way to filter out specific fields but instead the whole span for the layer.

I am not sure I follow here. What are you referring to precisely?

In the logs, it ends up logging all the request headers (prints out the whole struct I suspect), which includes any sensitive fields picked out in the root span builder from the headers :)

LukeMathWalker commented

Do you have any examples on this one? Tried filtering, but doesn't that filter out the whole span for the layer? Maybe I'm getting confused here, but when I tried it out, I didn't find a way to filter out specific fields but instead the whole span for the layer.

You need to write a custom layer, nothing is available out of the box in the ecosystem with this capability (skipping fields) as far as I know. But it's definitely possible.

In the logs, it ends up logging all the request headers (prints out the whole struct I suspect), which includes any sensitive fields picked out in the root span builder from the headers :)

I don't think that's the case - see

tracing-actix-web/src/root_span_macro.rs

Line 78 in 973d9b0

let span = $crate::root_span_macro::private::tracing::info_span!(

Can you provide a small reproducible example where you see this coming out of tracing-actix-web?

stefan-vatov commented

You are correct. The request was getting picked up as a param on the handler. After ignoring it, it's all good. My bad for not noticing 😅

Using a custom root span builder, putting placeholder values in the vars solves the problem well enough.

Thank you for your assistance 😄