[processor/redaction] Add support for allowed values that are never redacted #35840
Comments
janslow
added
enhancement
|
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
TylerHelmuth
added
priority:p2
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
Hi, I would like to take this ticket, if it's still free to grab |
|
I support this and you can go ahead @odubajDT ! |
…or config (#37638) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Introduce `allowed_values` parameter to the processor config. If the value of an allowed key matches the regular expression for an allowed value, the matching part of the value is not masked even if it matches the regular expression for a blocked value. <!-- Issue number (e.g. #1234) or full URL to issue, if applicable. --> #### Link to tracking issue Fixes #35840 --------- Signed-off-by: odubajDT <[email protected]>
…or config (open-telemetry#37638) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Introduce `allowed_values` parameter to the processor config. If the value of an allowed key matches the regular expression for an allowed value, the matching part of the value is not masked even if it matches the regular expression for a blocked value. <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Fixes open-telemetry#35840 --------- Signed-off-by: odubajDT <[email protected]>
Uh oh!
There was an error while loading. Please reload this page.
Component(s)
processor/redaction
Is your feature request related to a problem? Please describe.
I want the processor to never redact specific values, such as email addresses from specific domains. For example, we need
[email protected]to be redacted for compliance purposes, but not[email protected]Describe the solution you'd like
Add an
allowed_valuesconfiguration option that is a list of regexes (same asblocked_values), then never redact values that match at least oneallowed_valuesregex (even if it also matches ablocked_valuesregex).For example, with the given config:
then
[email protected]would be redacted in the relevant attributes, but[email protected]wouldn't.Describe alternatives you've considered
The
blocked_valuesuses Go'sregexppackage, which doesn't support negative lookahead, which could have been another alternative. There may be workarounds by incrementally excluding matches, but they result in very complex and hard to maintain patterns (especially if multiple patterns need to be allowed, e.g., multiple email domains)Additional context
I'm happy to contribute a PR if my proposed solution is acceptable
The text was updated successfully, but these errors were encountered: