Currently, all of the Span operation names and, potentially, the tags go across in clear text. Some APIs expose tokens in their URIs and use those as operation names. This is a security vulnerability that we need to address before folks can 100% use this in production.
We will support configuring the URI masking using a regex and masking anything in a capture group. We should support masking multiple capture groups. The masking will replace the capture groups with a fixed number of the character X.
This needs to happen in the Interceptor and the PowerFilter.
This is going into its own config file as this will be put into a new service.
We're only going to support the path and not parameters at this time. Users are expected to handle URIs that are considered equivalent by the origin service in their regex.
Pitfalls to consider:
- The configured regex should be processed in the configured order.
- Each regex should process the URI that has been masked with the previous regex, not the original URI.
- Make sure to document this.
- Users can configure one or more portions of a URI that will be masked with XXXXX when the value is being sent to Jaeger.
- Users can specify the URI and portions to be masked using a regex with capture groups. All capture groups will be masked.
- Users can configure multiple URIs to look for.
- The default configuration will mask the token from the Keystone validate token URI.
- We will only mask values in the URI path, not the parameters.