Filtering should allow to redact/rewrite attributes

[pilhuhn]

When I have a SQLClient span
{"type":"SQLClient","peer":"::1","peerPort":"39686","host":"::1","hostPort":"5432","traceID":"21b5..","spanID":"d96b..","parentSpanID":"00...000","traceFlags":"0","peerName":"python3.14 (deleted)","hostName":"::1","kind":"SPAN_KIND_CLIENT","start":"1770805208325537","handlerStart":"1770805208325537","end":"1770805208326073","duration":"535.518µs","durationUSec":"535","handlerDuration":"535.518µs","handlerDurationUSec":"535","attributes":{"errorCode":"0","errorDescription":"","errorMessage":"","operation":"SELECT","serverAddr":"::1","serverPort":"5432","sqlCommand":"QUERY","sqlState":"","**statement":"SELECT * FROM tea WHERE kind=('sencha')** /*db_driver='psycopg2%3A2.9.11',dbapi_level='2.0',dbapi_threadsafety=2,driver_paramstyle='pyformat',libpq_version=170006,traceparent='00-2e1600...c6f-01'*/;","table":"tea"}}

It should be possible to redact or write the SQL 'statement' attribute (only) in case that it e.g. contains a password.

There are possibly other tracers than the Postgres one, where this applies. IP addresses of external clients come to mind, as those are considered PII.

And yes, this can possibly be done in the collector, but for security reasons, the redaction should happen as early as possible.

[grcevski]

I agree with you, which is why the SQL statement isn't on by default. We consider the redaction out of scope for now, since it should be done by the collector. I understand that MITM attacks can pull out this information when it's shipped from OBI to the collector, but in that scenario, I think the best approach is to use OBI built in the collector as a receiver (we've recently added that). In that case it would be the same process.