From 3e1655f659f54ffaf1f4f2fd68eb6dd066ee1bc3 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 11:08:26 -0700 Subject: [PATCH 01/34] Add authentication to enduser namespace --- ...d_authentication_enduser_subnamespace.yaml | 25 +++++++++++++++++ model/authentication/registry.yaml | 27 +++++++++++++++++++ model/enduser/common.yaml | 10 +++++++ model/enduser/deprecated/common.yaml | 12 --------- .../deprecated/registry-deprecated.yaml | 24 ----------------- model/enduser/registry.yaml | 21 +++++++++++++++ 6 files changed, 83 insertions(+), 36 deletions(-) create mode 100644 .chloggen/add_authentication_enduser_subnamespace.yaml create mode 100644 model/authentication/registry.yaml create mode 100644 model/enduser/common.yaml delete mode 100644 model/enduser/deprecated/common.yaml delete mode 100644 model/enduser/deprecated/registry-deprecated.yaml create mode 100644 model/enduser/registry.yaml diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_authentication_enduser_subnamespace.yaml new file mode 100644 index 0000000000..e412caaf37 --- /dev/null +++ b/.chloggen/add_authentication_enduser_subnamespace.yaml @@ -0,0 +1,25 @@ +# Use this changelog template to create an entry for release notes. +# +# If your change doesn't affect end users you should instead start +# your pull request title with [chore] or use the "Skip Changelog" label. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: new_component + +# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) +component: enduser + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: introduce subnamespace `enduser.authentication` with new attributes `enduser.authentication.id`, `enduser.authentication.role`, and `enduser.authentication.scope`. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +# The values here must be integers. +issues: [1104] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: | + The `enduser.authentication` subnamespace is intended to describe the authentication information of the end user. + The new attributes are intended to provide information about the authenticated user in the system, + the role the client is making the request under, and the scopes or granted authorities the client currently possesses. diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml new file mode 100644 index 0000000000..9cf00ce9ad --- /dev/null +++ b/model/authentication/registry.yaml @@ -0,0 +1,27 @@ +groups: + - id: registry.authentication + type: attribute_group + display_name: Authentication Attributes + stability: experimental + brief: > + "Describes the authentication information of an authenticated user." + attributes: + - id: authentication.id + type: string + brief: "Unique identifier of an authenticated user in the system." + examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] + stability: experimental + - id: authentication.role + type: string + stability: experimental + brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + examples: 'admin' + - id: authentication.scope + type: string + stability: experimental + brief: > + Scopes or granted authorities the client currently possesses extracted from token + or application security context. The value would come from the scope associated + with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) + or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + examples: 'read:message, write:files' diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml new file mode 100644 index 0000000000..89118d3124 --- /dev/null +++ b/model/enduser/common.yaml @@ -0,0 +1,10 @@ +groups: + - id: enduser + type: attribute_group + brief: > + This document defines attributes for Events represented using Log Records. + attributes: + - ref: enduser.id + requirement_level: required + - ref: enduser.authentication + requirement_level: required diff --git a/model/enduser/deprecated/common.yaml b/model/enduser/deprecated/common.yaml deleted file mode 100644 index e17dde1bec..0000000000 --- a/model/enduser/deprecated/common.yaml +++ /dev/null @@ -1,12 +0,0 @@ -groups: - - id: identity - type: attribute_group - brief: > - These attributes may be used for any operation with an authenticated and/or authorized enduser. - attributes: - - ref: enduser.id - requirement_level: recommended - - ref: enduser.role - requirement_level: recommended - - ref: enduser.scope - requirement_level: recommended diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml deleted file mode 100644 index 0f5723e19a..0000000000 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ /dev/null @@ -1,24 +0,0 @@ -groups: - - id: registry.enduser.deprecated - type: attribute_group - display_name: Deprecated End User Attributes - brief: Describes deprecated enduser attributes. Complete enduser namespace has been deprecated - attributes: - - id: enduser.id - type: string - stability: experimental - deprecated: Replaced by `user.id` attribute. - brief: "Deprecated, use `user.id` instead." - examples: 'username' - - id: enduser.role - type: string - stability: experimental - deprecated: Replaced by `user.roles` attribute. - brief: "Deprecated, use `user.roles` instead." - examples: 'admin' - - id: enduser.scope - type: string - stability: experimental - deprecated: Removed. - brief: "Deprecated, no replacement at this time." - examples: 'read:message, write:files' diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml new file mode 100644 index 0000000000..dd349be4f1 --- /dev/null +++ b/model/enduser/registry.yaml @@ -0,0 +1,21 @@ + +groups: + - id: registry.enduser + type: attribute_group + display_name: End User Attributes + brief: > + Describes information about the end user, which can be used as a sub-namespace of browser, client, or user domains. + attributes: + - id: enduser.id + type: string + stability: experimental + brief: > + Identifier of an end user who interacts with a system. + This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. + examples: ['QdH5CAWJgqVT4rOr0qtumf'] + - id: enduser.authentication + type: attribute_group + stability: experimental + brief: > + Describes the authentication information of an authenticated end user. + ref: registry.authentication From 6f858a23775382a9dca6756409f96b0fb9e14299 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 11:19:59 -0700 Subject: [PATCH 02/34] Fix yamllint --- .chloggen/add_authentication_enduser_subnamespace.yaml | 2 +- model/enduser/registry.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_authentication_enduser_subnamespace.yaml index e412caaf37..131b6c653b 100644 --- a/.chloggen/add_authentication_enduser_subnamespace.yaml +++ b/.chloggen/add_authentication_enduser_subnamespace.yaml @@ -4,7 +4,7 @@ # your pull request title with [chore] or use the "Skip Changelog" label. # One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' -change_type: new_component +change_type: enhancement # The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) component: enduser diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index dd349be4f1..aabc8d09fb 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -1,4 +1,3 @@ - groups: - id: registry.enduser type: attribute_group From 07cb1eb91b8c141d277a092d36bf30e3173b7f80 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 11:51:22 -0700 Subject: [PATCH 03/34] Fix weaver --- model/enduser/common.yaml | 10 ---------- model/enduser/registry.yaml | 10 ++++------ 2 files changed, 4 insertions(+), 16 deletions(-) delete mode 100644 model/enduser/common.yaml diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml deleted file mode 100644 index 89118d3124..0000000000 --- a/model/enduser/common.yaml +++ /dev/null @@ -1,10 +0,0 @@ -groups: - - id: enduser - type: attribute_group - brief: > - This document defines attributes for Events represented using Log Records. - attributes: - - ref: enduser.id - requirement_level: required - - ref: enduser.authentication - requirement_level: required diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index aabc8d09fb..995269d363 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -3,7 +3,7 @@ groups: type: attribute_group display_name: End User Attributes brief: > - Describes information about the end user, which can be used as a sub-namespace of browser, client, or user domains. + Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: - id: enduser.id type: string @@ -12,9 +12,7 @@ groups: Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - - id: enduser.authentication - type: attribute_group + - ref: authentication.id stability: experimental - brief: > - Describes the authentication information of an authenticated end user. - ref: registry.authentication + requirement_level: + conditionally_required: if and only if the end user is authenticated. From ee0970fde3f889737dcece1079cedd21ed11cd35 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 12:05:05 -0700 Subject: [PATCH 04/34] Update markdowns --- docs/attributes-registry/README.md | 1 + docs/attributes-registry/authentication.md | 17 +++++++++++++++++ docs/attributes-registry/enduser.md | 13 ++++++------- 3 files changed, 24 insertions(+), 7 deletions(-) create mode 100644 docs/attributes-registry/authentication.md diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index 35356a67cb..4e21e23c16 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -34,6 +34,7 @@ Currently, the following namespaces exist: - [Android](android.md) - [Artifact](artifact.md) - [Aspnetcore](aspnetcore.md) +- [Authentication](authentication.md) - [AWS](aws.md) - [Azure](azure.md) - [Browser](browser.md) diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md new file mode 100644 index 0000000000..7fc50f4539 --- /dev/null +++ b/docs/attributes-registry/authentication.md @@ -0,0 +1,17 @@ + + + + + +# Authentication + +## Authentication Attributes + +"Describes the authentication information of an authenticated user." + +| Attribute | Type | Description | Examples | Stability | +| ---------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `authentication.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `authentication.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index db2d7a5835..3a674523e0 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -6,12 +6,11 @@ # Enduser -## Deprecated End User Attributes +## End User Attributes -Describes deprecated enduser attributes. Complete enduser namespace has been deprecated +Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. -| Attribute | Type | Description | Examples | Stability | -| --------------- | ------ | ---------------------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------- | -| `enduser.id` | string | Deprecated, use `user.id` instead. | `username` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.id` attribute. | -| `enduser.role` | string | Deprecated, use `user.roles` instead. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.roles` attribute. | -| `enduser.scope` | string | Deprecated, no replacement at this time. | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| Attribute | Type | Description | Examples | Stability | +| ------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | From 38d8687ca80a063faa46ccdd38ed92901087d573 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 12:08:25 -0700 Subject: [PATCH 05/34] Generate gh issue --- .github/ISSUE_TEMPLATE/bug_report.yaml | 2 ++ .github/ISSUE_TEMPLATE/change_proposal.yaml | 2 ++ .github/ISSUE_TEMPLATE/new-conventions.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index e4e6d6b430..283d18b28d 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -23,6 +23,7 @@ body: - area:android - area:artifact - area:aspnetcore + - area:authentication - area:aws - area:azure - area:browser @@ -41,6 +42,7 @@ body: - area:disk - area:dns - area:dotnet + - area:enduser - area:error - area:event - area:exception diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 4c9316ddf1..2ba99a1d9f 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -15,6 +15,7 @@ body: - area:android - area:artifact - area:aspnetcore + - area:authentication - area:aws - area:azure - area:browser @@ -33,6 +34,7 @@ body: - area:disk - area:dns - area:dotnet + - area:enduser - area:error - area:event - area:exception diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index e6e543158e..4f23678b18 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -24,6 +24,7 @@ body: - area:android - area:artifact - area:aspnetcore + - area:authentication - area:aws - area:azure - area:browser @@ -42,6 +43,7 @@ body: - area:disk - area:dns - area:dotnet + - area:enduser - area:error - area:event - area:exception From b1cdc13118220a0bbab8ae11fbb55f8d709903b6 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 12:13:46 -0700 Subject: [PATCH 06/34] Fix policies-check and compatibility --- docs/attributes-registry/authentication.md | 8 +++----- docs/attributes-registry/enduser.md | 10 ++++++---- model/authentication/registry.yaml | 14 -------------- model/enduser/registry.yaml | 14 ++++++++++++++ 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md index 7fc50f4539..90422ed9ee 100644 --- a/docs/attributes-registry/authentication.md +++ b/docs/attributes-registry/authentication.md @@ -10,8 +10,6 @@ "Describes the authentication information of an authenticated user." -| Attribute | Type | Description | Examples | Stability | -| ---------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `authentication.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `authentication.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +| ------------------- | ------ | --------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 3a674523e0..c166808ed0 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -10,7 +10,9 @@ Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. -| Attribute | Type | Description | Examples | Stability | -| ------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +| ------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml index 9cf00ce9ad..f475e97e72 100644 --- a/model/authentication/registry.yaml +++ b/model/authentication/registry.yaml @@ -11,17 +11,3 @@ groups: brief: "Unique identifier of an authenticated user in the system." examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] stability: experimental - - id: authentication.role - type: string - stability: experimental - brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' - examples: 'admin' - - id: authentication.scope - type: string - stability: experimental - brief: > - Scopes or granted authorities the client currently possesses extracted from token - or application security context. The value would come from the scope associated - with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) - or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 995269d363..e26f37eb37 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -12,6 +12,20 @@ groups: Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. examples: ['QdH5CAWJgqVT4rOr0qtumf'] + - id: enduser.role + type: string + stability: experimental + brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + examples: 'admin' + - id: enduser.scope + type: string + stability: experimental + brief: > + Scopes or granted authorities the client currently possesses extracted from token + or application security context. The value would come from the scope associated + with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) + or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + examples: 'read:message, write:files' - ref: authentication.id stability: experimental requirement_level: From 068a822e91418a858e832930245177e053116a8f Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:02:12 -0700 Subject: [PATCH 07/34] Update --- model/authentication/registry.yaml | 13 ------------- model/enduser/registry.yaml | 9 ++++++--- 2 files changed, 6 insertions(+), 16 deletions(-) delete mode 100644 model/authentication/registry.yaml diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml deleted file mode 100644 index f475e97e72..0000000000 --- a/model/authentication/registry.yaml +++ /dev/null @@ -1,13 +0,0 @@ -groups: - - id: registry.authentication - type: attribute_group - display_name: Authentication Attributes - stability: experimental - brief: > - "Describes the authentication information of an authenticated user." - attributes: - - id: authentication.id - type: string - brief: "Unique identifier of an authenticated user in the system." - examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] - stability: experimental diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index e26f37eb37..2a6568dd5e 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -14,11 +14,13 @@ groups: examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role type: string + deprecated: "Removed." stability: experimental brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' examples: 'admin' - id: enduser.scope type: string + deprecated: "Removed." stability: experimental brief: > Scopes or granted authorities the client currently possesses extracted from token @@ -26,7 +28,8 @@ groups: with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). examples: 'read:message, write:files' - - ref: authentication.id + - id: enduser.authentication.id + type: string + brief: "Unique identifier of an authenticated user in the system." + examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] stability: experimental - requirement_level: - conditionally_required: if and only if the end user is authenticated. From c17bec632b080331ebddd65ce202be5421618e6e Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:09:27 -0700 Subject: [PATCH 08/34] Update changelog --- ...ubnamespace.yaml => add_enduser_authentication_id.yaml} | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) rename .chloggen/{add_authentication_enduser_subnamespace.yaml => add_enduser_authentication_id.yaml} (64%) diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_enduser_authentication_id.yaml similarity index 64% rename from .chloggen/add_authentication_enduser_subnamespace.yaml rename to .chloggen/add_enduser_authentication_id.yaml index 131b6c653b..906b73a217 100644 --- a/.chloggen/add_authentication_enduser_subnamespace.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce subnamespace `enduser.authentication` with new attributes `enduser.authentication.id`, `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id` and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. @@ -20,6 +20,5 @@ issues: [1104] # These lines will be padded with 2 spaces and then inserted directly into the document. # Use pipe (|) for multiline entries. subtext: | - The `enduser.authentication` subnamespace is intended to describe the authentication information of the end user. - The new attributes are intended to provide information about the authenticated user in the system, - the role the client is making the request under, and the scopes or granted authorities the client currently possesses. + The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry., From d0e26d5cc84dcdb70ff061084d357edbae4abbdd Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:11:26 -0700 Subject: [PATCH 09/34] Update --- docs/attributes-registry/README.md | 1 - docs/attributes-registry/enduser.md | 12 ++++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index 4e21e23c16..35356a67cb 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -34,7 +34,6 @@ Currently, the following namespaces exist: - [Android](android.md) - [Artifact](artifact.md) - [Aspnetcore](aspnetcore.md) -- [Authentication](authentication.md) - [AWS](aws.md) - [Azure](azure.md) - [Browser](browser.md) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index c166808ed0..cc193e8107 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -10,9 +10,9 @@ Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. -| Attribute | Type | Description | Examples | Stability | -| ------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From 614a52eb9c94813ae2bfa01add651d2ad766d6c4 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:14:35 -0700 Subject: [PATCH 10/34] Fix yamllint --- .chloggen/add_enduser_authentication_id.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 906b73a217..d449bac875 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -20,5 +20,5 @@ issues: [1104] # These lines will be padded with 2 spaces and then inserted directly into the document. # Use pipe (|) for multiline entries. subtext: | - The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry., + The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file From a499237bde1bfa73bae3bc2235217b5ae61091a5 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:15:44 -0700 Subject: [PATCH 11/34] Fix --- .chloggen/add_enduser_authentication_id.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index d449bac875..300e4f9703 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -21,4 +21,5 @@ issues: [1104] # Use pipe (|) for multiline entries. subtext: | The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. + \ No newline at end of file From 5bfbfe233c65d5249afc97cf5c5e94e049920efe Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:18:24 -0700 Subject: [PATCH 12/34] Fix trailing spaces --- .chloggen/add_enduser_authentication_id.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 300e4f9703..89248bba51 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -22,4 +22,3 @@ issues: [1104] subtext: | The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. - \ No newline at end of file From 5f883d080b6645273dd2679f39dd2cb2458e0608 Mon Sep 17 00:00:00 2001 From: heyams Date: Wed, 23 Oct 2024 11:13:34 -0700 Subject: [PATCH 13/34] Use 'make generate-gh-issue-tempaltes --- .github/ISSUE_TEMPLATE/bug_report.yaml | 1 - .github/ISSUE_TEMPLATE/change_proposal.yaml | 1 - .github/ISSUE_TEMPLATE/new-conventions.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 283d18b28d..fb9ee37d0d 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -23,7 +23,6 @@ body: - area:android - area:artifact - area:aspnetcore - - area:authentication - area:aws - area:azure - area:browser diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 2ba99a1d9f..fe5acc9841 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -15,7 +15,6 @@ body: - area:android - area:artifact - area:aspnetcore - - area:authentication - area:aws - area:azure - area:browser diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index 4f23678b18..3affbce455 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -24,7 +24,6 @@ body: - area:android - area:artifact - area:aspnetcore - - area:authentication - area:aws - area:azure - area:browser From 13919ed94ebb6e91c58b71f585313ffdb3cb2fa6 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:11:11 -0800 Subject: [PATCH 14/34] Update --- docs/attributes-registry/authentication.md | 15 --------------- model/enduser/registry.yaml | 4 ++-- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 docs/attributes-registry/authentication.md diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md deleted file mode 100644 index 90422ed9ee..0000000000 --- a/docs/attributes-registry/authentication.md +++ /dev/null @@ -1,15 +0,0 @@ - - - - - -# Authentication - -## Authentication Attributes - -"Describes the authentication information of an authenticated user." - -| Attribute | Type | Description | Examples | Stability | -| ------------------- | ------ | --------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 2a6568dd5e..a440334a66 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,11 +5,11 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: - - id: enduser.id + - id: enduser.anonymous.id type: string stability: experimental brief: > - Identifier of an end user who interacts with a system. + Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role From 5c0d6d3c5518459015d17a1b1004dcad724833b2 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:29:42 -0800 Subject: [PATCH 15/34] Update --- docs/attributes-registry/enduser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index cc193e8107..2b4e00bb19 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -12,7 +12,7 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| +| `enduser.anonymous.id` | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From ff8599917af79e6310919778a4f704420ffed9f6 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:37:00 -0800 Subject: [PATCH 16/34] Fix identity not found --- docs/general/attributes.md | 9 ++++++--- model/enduser/common.yaml | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 model/enduser/common.yaml diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 601b43101d..edfa59837f 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -396,9 +396,12 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `user.id` instead. | `username` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.id` attribute. | -| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `user.roles` instead. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.roles` attribute. | -| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Deprecated, no replacement at this time. | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.anonymous.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | + +**[1] `enduser.authentication.id`:** The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml new file mode 100644 index 0000000000..3188f0c54e --- /dev/null +++ b/model/enduser/common.yaml @@ -0,0 +1,19 @@ +groups: + - id: identity + type: attribute_group + brief: > + These attributes may be used for any operation with an authenticated and/or authorized enduser. + attributes: + - ref: enduser.anonymous.id + requirement_level: recommended + - ref: enduser.role + deprecated: "Removed." + requirement_level: recommended + - ref: enduser.scope + deprecated: "Removed." + requirement_level: recommended + - ref: enduser.authentication.id + requirement_level: required + note: > + The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file From d626e6c3461164abdbf232525cada01c8ca34fa4 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:40:24 -0800 Subject: [PATCH 17/34] Update --- .chloggen/add_enduser_authentication_id.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 89248bba51..e68167ebfd 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id` and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id`, rename `enduser.id` to `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. From cb32498c8dd308fcc3d20247ca491535b24f7dd6 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:44:16 -0800 Subject: [PATCH 18/34] Fix yamllint --- model/enduser/common.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 3188f0c54e..7a2d0cee5d 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -16,4 +16,4 @@ groups: requirement_level: required note: > The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. From 1c53711e1d6a8a64f9d2a336c648c491f9f8bbac Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:54:01 -0800 Subject: [PATCH 19/34] Fix backward compat --- .chloggen/add_enduser_authentication_id.yaml | 2 +- docs/attributes-registry/enduser.md | 1 + docs/general/attributes.md | 1 + model/enduser/common.yaml | 3 +++ model/enduser/registry.yaml | 7 +++++++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index e68167ebfd..0105a996a2 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id`, rename `enduser.id` to `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 2b4e00bb19..5c6bc64c03 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -14,5 +14,6 @@ Describes information about the end user, which can be used as a subdomain of br |---|---|---|---|---| | `enduser.anonymous.id` | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/general/attributes.md b/docs/general/attributes.md index edfa59837f..6604d341ac 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -398,6 +398,7 @@ These attributes may be used for any operation with an authenticated and/or auth |---|---|---|---|---|---| | [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.anonymous.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | | [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 7a2d0cee5d..54ae23fcad 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -4,6 +4,9 @@ groups: brief: > These attributes may be used for any operation with an authenticated and/or authorized enduser. attributes: + - ref: enduser.id + deprecated: Replaced by `enduser.anonymous.id` attribute. + requirement_level: recommended - ref: enduser.anonymous.id requirement_level: recommended - ref: enduser.role diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index a440334a66..88a36a66b9 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,6 +5,13 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: + - id: enduser.id + type: string + deprecated: Replaced by `enduser.anonymous.id` attribute. + stability: experimental + examples: ['QdH5CAWJgqVT4rOr0qtumf'] + brief: > + Deprecated, use `enduser.anonymous.id` instead. - id: enduser.anonymous.id type: string stability: experimental From 51d0c99bf41da6942c379968ee0b0a5763176afc Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 10 Dec 2024 12:15:29 -0800 Subject: [PATCH 20/34] Rename enduser.id to enduser.pseudo.id --- .chloggen/add_enduser_authentication_id.yaml | 2 +- model/enduser/common.yaml | 4 ++-- model/enduser/registry.yaml | 11 ++++++++--- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 0105a996a2..ea4c170f88 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.pseudo.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 54ae23fcad..e58fce73f0 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -5,9 +5,9 @@ groups: These attributes may be used for any operation with an authenticated and/or authorized enduser. attributes: - ref: enduser.id - deprecated: Replaced by `enduser.anonymous.id` attribute. + deprecated: Replaced by `enduser.pseudo.id` attribute. requirement_level: recommended - - ref: enduser.anonymous.id + - ref: enduser.pseudo.id requirement_level: recommended - ref: enduser.role deprecated: "Removed." diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 88a36a66b9..526dd8d707 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -7,12 +7,17 @@ groups: attributes: - id: enduser.id type: string - deprecated: Replaced by `enduser.anonymous.id` attribute. + deprecated: Replaced by `enduser.pseudo.id` attribute. stability: experimental examples: ['QdH5CAWJgqVT4rOr0qtumf'] brief: > - Deprecated, use `enduser.anonymous.id` instead. - - id: enduser.anonymous.id + Deprecated, use `enduser.pseudo.id` instead. + - id: enduser.pseudo.id + type: string + stability: experimental + brief: > + Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. + examples: ['QdH5CAWJgqVT4rOr0qtumf'] type: string stability: experimental brief: > From 949bae80082564fd156f1f7e6970f8bd80eb47a3 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 10 Dec 2024 12:24:58 -0800 Subject: [PATCH 21/34] Update md --- docs/attributes-registry/enduser.md | 4 ++-- docs/general/attributes.md | 4 ++-- model/enduser/registry.yaml | 6 ------ 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 5c6bc64c03..be963ea32b 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -12,8 +12,8 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| -| `enduser.anonymous.id` | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | +| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | +| `enduser.pseudo.id` | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 6604d341ac..7c76dfbf10 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -397,8 +397,8 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| | [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.anonymous.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | +| [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | | [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 526dd8d707..a1f6263782 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -18,12 +18,6 @@ groups: brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - type: string - stability: experimental - brief: > - Identifier of an anonymous end user who interacts with a system. - This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. - examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role type: string deprecated: "Removed." From 97788900857570c4eff602bc7e29e4ded1b6a912 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 10 Dec 2024 12:26:23 -0800 Subject: [PATCH 22/34] Update --- docs/general/attributes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 7c76dfbf10..92fe1d9659 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -397,8 +397,8 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| | [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | +| [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From 23bb6fed4d8e868bf7124ffa80bb820374ee8875 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 13:52:28 -0800 Subject: [PATCH 23/34] Update attributes.md --- docs/general/attributes.md | 29 +---------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 92fe1d9659..e0c91a0e13 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -414,34 +414,7 @@ system. It is expected this information would be propagated unchanged from node- using the Baggage mechanism. These attributes should not be used to record system-to-system authentication attributes. -Examples of where the `enduser.id` value is extracted from: - -| Authentication protocol | Field or description | -| :---------------------- | :------------------------------ | -| [HTTP Basic/Digest Authentication] | `username` | -| [OAuth 2.0 Bearer Token] | [OAuth 2.0 Client Identifier] value from `client_id` for the [OAuth 2.0 Client Credentials Grant] flow and `subject` or `username` from get token info response for other flows using opaque tokens. | -| [OpenID Connect 1.0 IDToken] | `sub` | -| [SAML 2.0 Assertion] | `urn:oasis:names:tc:SAML:2.0:assertion:Subject` | -| [Kerberos] | `PrincipalName` | - -| Framework | Field or description | -| :---------------------- | :------------------------------ | -| [JavaEE/JakartaEE Servlet] | `javax.servlet.http.HttpServletRequest.getUserPrincipal()` | -| [Windows Communication Foundation] | `ServiceSecurityContext.Current.PrimaryIdentity` | - -[SAML 2.0 Assertion]: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html -[HTTP Basic/Digest Authentication]: https://tools.ietf.org/html/rfc2617 -[OAuth 2.0 Bearer Token]: https://tools.ietf.org/html/rfc6750 -[OAuth 2.0 Client Identifier]: https://tools.ietf.org/html/rfc6749#section-2.2 -[OAuth 2.0 Client Credentials Grant]: https://tools.ietf.org/html/rfc6749#section-4.4 -[OpenID Connect 1.0 IDToken]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken -[Kerberos]: https://tools.ietf.org/html/rfc4120 -[JavaEE/JakartaEE Servlet]: https://jakarta.ee/specifications/platform/8/apidocs/javax/servlet/http/HttpServletRequest.html -[Windows Communication Foundation]: https://docs.microsoft.com/dotnet/api/system.servicemodel.servicesecuritycontext?view=netframework-4.8 - -Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by -default and then provide a configuration parameter to turn on retention for use cases where the -information is required and would not violate any policies or regulations. +`enduser.pseudo.id` attribute can be set by a specific client component, e.g. through a cookie out of the Span's HTTP request headers. Client side application should be able to stamp this attribute on any telemetry item emitted by the application whenever this cookie is available. ## General thread attributes From f0623df2cd500c4dd4bb46d1f6d13ea44354dd2f Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 14:11:55 -0800 Subject: [PATCH 24/34] Address comments --- .../deprecated/registry-deprecated.yaml | 28 +++++++++++++++++++ model/enduser/registry.yaml | 23 --------------- 2 files changed, 28 insertions(+), 23 deletions(-) create mode 100644 model/enduser/deprecated/registry-deprecated.yaml diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml new file mode 100644 index 0000000000..c2ab742064 --- /dev/null +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -0,0 +1,28 @@ +groups: + - id: registry.enduser.deprecated + type: attribute_group + display_name: Deprecated End User Attributes + brief: "Describes deprecated end user attributes." + attributes: + - id: enduser.id + type: string + brief: 'Deprecated, use `enduser.pseudo.id` instead.' + stability: experimental + deprecated: "Replaced by `enduser.pseudo.id`." + examples: ['QdH5CAWJgqVT4rOr0qtumf'] + - id: enduser.role + type: string + deprecated: "Removed." + stability: experimental + brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + examples: 'admin' + - id: enduser.scope + type: string + deprecated: "Removed." + stability: experimental + brief: > + Scopes or granted authorities the client currently possesses extracted from token + or application security context. The value would come from the scope associated + with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) + or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + examples: 'read:message, write:files' \ No newline at end of file diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index a1f6263782..06e3013b71 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,35 +5,12 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: - - id: enduser.id - type: string - deprecated: Replaced by `enduser.pseudo.id` attribute. - stability: experimental - examples: ['QdH5CAWJgqVT4rOr0qtumf'] - brief: > - Deprecated, use `enduser.pseudo.id` instead. - id: enduser.pseudo.id type: string stability: experimental brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - - id: enduser.role - type: string - deprecated: "Removed." - stability: experimental - brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' - examples: 'admin' - - id: enduser.scope - type: string - deprecated: "Removed." - stability: experimental - brief: > - Scopes or granted authorities the client currently possesses extracted from token - or application security context. The value would come from the scope associated - with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) - or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' - id: enduser.authentication.id type: string brief: "Unique identifier of an authenticated user in the system." From 435fc1ba4091ec11cd15cd2a896c32fb009a4488 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 14:14:50 -0800 Subject: [PATCH 25/34] Make update --- docs/attributes-registry/enduser.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index be963ea32b..c4d746ff3c 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -6,6 +6,9 @@ # Enduser +- [End User Attributes](#end-user-attributes) +- [Deprecated End User Attributes](#deprecated-end-user-attributes) + ## End User Attributes Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. @@ -13,7 +16,14 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | | `enduser.pseudo.id` | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | + +## Deprecated End User Attributes + +Describes deprecated end user attributes. + +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id`. | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From ca87ccccf47730f7f8f8b9d053f1e338f53b6c25 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 14:18:23 -0800 Subject: [PATCH 26/34] Fix yamllint --- model/enduser/deprecated/registry-deprecated.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml index c2ab742064..f90a3a3a87 100644 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -25,4 +25,4 @@ groups: or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' \ No newline at end of file + examples: 'read:message, write:files' From 2ccbfe3e6da13e3e187986096202ffdedd5c971d Mon Sep 17 00:00:00 2001 From: heyams Date: Thu, 23 Jan 2025 15:38:49 -0800 Subject: [PATCH 27/34] Update --- ...entication_id.yaml => add_enduser_pseudo_id.yaml} | 5 ++--- docs/attributes-registry/enduser.md | 3 +-- docs/general/attributes.md | 7 +------ model/enduser/common.yaml | 12 ------------ model/enduser/deprecated/registry-deprecated.yaml | 6 ------ model/enduser/registry.yaml | 11 ++++++----- 6 files changed, 10 insertions(+), 34 deletions(-) rename .chloggen/{add_enduser_authentication_id.yaml => add_enduser_pseudo_id.yaml} (67%) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_pseudo_id.yaml similarity index 67% rename from .chloggen/add_enduser_authentication_id.yaml rename to .chloggen/add_enduser_pseudo_id.yaml index ea4c170f88..ae2891ef58 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_pseudo_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.pseudo.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.pseudo.id` # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. @@ -20,5 +20,4 @@ issues: [1104] # These lines will be padded with 2 spaces and then inserted directly into the document. # Use pipe (|) for multiline entries. subtext: | - The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. + The new attribute `enduser.pseudo.id` is intended to provide an unique identifier of an authenticated enduser. diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index c4d746ff3c..3abce70608 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -15,7 +15,7 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| -| `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Unique identifier of an authenticated user in the system. | `` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.pseudo.id` | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | ## Deprecated End User Attributes @@ -24,6 +24,5 @@ Describes deprecated end user attributes. | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| -| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id`. | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/general/attributes.md b/docs/general/attributes.md index a7ec633b6b..4269db8eb1 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -396,13 +396,8 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| -| [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. | `` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | -| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | - -**[1] `enduser.authentication.id`:** The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index e58fce73f0..970d8bd2bf 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -5,18 +5,6 @@ groups: These attributes may be used for any operation with an authenticated and/or authorized enduser. attributes: - ref: enduser.id - deprecated: Replaced by `enduser.pseudo.id` attribute. requirement_level: recommended - ref: enduser.pseudo.id requirement_level: recommended - - ref: enduser.role - deprecated: "Removed." - requirement_level: recommended - - ref: enduser.scope - deprecated: "Removed." - requirement_level: recommended - - ref: enduser.authentication.id - requirement_level: required - note: > - The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml index f90a3a3a87..229f9c85bd 100644 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -4,12 +4,6 @@ groups: display_name: Deprecated End User Attributes brief: "Describes deprecated end user attributes." attributes: - - id: enduser.id - type: string - brief: 'Deprecated, use `enduser.pseudo.id` instead.' - stability: experimental - deprecated: "Replaced by `enduser.pseudo.id`." - examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role type: string deprecated: "Removed." diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 06e3013b71..59a99b90c1 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,14 +5,15 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: + - id: enduser.id + type: string + brief: "Unique identifier of an authenticated user in the system." + examples: [ '' ] + stability: experimental - id: enduser.pseudo.id type: string stability: experimental brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - - id: enduser.authentication.id - type: string - brief: "Unique identifier of an authenticated user in the system." - examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] - stability: experimental + From 10b2e0cef282c4ded052f07a6a990ad5a025ee10 Mon Sep 17 00:00:00 2001 From: heyams Date: Thu, 23 Jan 2025 16:07:11 -0800 Subject: [PATCH 28/34] Fix yamllint --- model/enduser/registry.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 59a99b90c1..7904843fbe 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -16,4 +16,3 @@ groups: brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - From 8c89be8f9c19f0b91b321b238ee6c60eb35bd4f8 Mon Sep 17 00:00:00 2001 From: heyams Date: Thu, 23 Jan 2025 16:24:26 -0800 Subject: [PATCH 29/34] Address comments --- docs/attributes-registry/enduser.md | 8 ++-- docs/general/attributes.md | 44 ++++++++++++++++++- model/enduser/common.yaml | 2 +- .../deprecated/registry-deprecated.yaml | 8 +--- model/enduser/registry.yaml | 8 ++-- 5 files changed, 53 insertions(+), 17 deletions(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 3abce70608..2a140adf29 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -11,18 +11,18 @@ ## End User Attributes -Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. +Describes the end user. | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| -| `enduser.id` | string | Unique identifier of an authenticated user in the system. | `` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Unique identifier of an authenticated user in the system. | `username` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.pseudo.id` | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | ## Deprecated End User Attributes -Describes deprecated end user attributes. +Describes deprecated enduser attributes. | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | -| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| `enduser.scope` | string | Deprecated, no replacement at this time. | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 4269db8eb1..c0d1f4b13d 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -396,7 +396,7 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. | `` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. | `username` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | @@ -409,7 +409,47 @@ system. It is expected this information would be propagated unchanged from node- using the Baggage mechanism. These attributes should not be used to record system-to-system authentication attributes. -`enduser.pseudo.id` attribute can be set by a specific client component, e.g. through a cookie out of the Span's HTTP request headers. Client side application should be able to stamp this attribute on any telemetry item emitted by the application whenever this cookie is available. +Examples of where the `enduser.id` value is extracted from: + +| Authentication protocol | Field or description | +| :---------------------- | :------------------------------ | +| [HTTP Basic/Digest Authentication] | `username` | +| [OAuth 2.0 Bearer Token] | [OAuth 2.0 Client Identifier] value from `client_id` for the [OAuth 2.0 Client Credentials Grant] flow and `subject` or `username` from get token info response for other flows using opaque tokens. | +| [OpenID Connect 1.0 IDToken] | `sub` | +| [SAML 2.0 Assertion] | `urn:oasis:names:tc:SAML:2.0:assertion:Subject` | +| [Kerberos] | `PrincipalName` | + +| Framework | Field or description | +| :---------------------- | :------------------------------ | +| [JavaEE/JakartaEE Servlet] | `javax.servlet.http.HttpServletRequest.getUserPrincipal()` | +| [Windows Communication Foundation] | `ServiceSecurityContext.Current.PrimaryIdentity` | + +[SAML 2.0 Assertion]: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html +[HTTP Basic/Digest Authentication]: https://tools.ietf.org/html/rfc2617 +[OAuth 2.0 Bearer Token]: https://tools.ietf.org/html/rfc6750 +[OAuth 2.0 Client Identifier]: https://tools.ietf.org/html/rfc6749#section-2.2 +[OAuth 2.0 Client Credentials Grant]: https://tools.ietf.org/html/rfc6749#section-4.4 +[OpenID Connect 1.0 IDToken]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken +[Kerberos]: https://tools.ietf.org/html/rfc4120 +[JavaEE/JakartaEE Servlet]: https://jakarta.ee/specifications/platform/8/apidocs/javax/servlet/http/HttpServletRequest.html +[Windows Communication Foundation]: https://docs.microsoft.com/dotnet/api/system.servicemodel.servicesecuritycontext?view=netframework-4.8 + +Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by +default and then provide a configuration parameter to turn on retention for use cases where the +information is required and would not violate any policies or regulations. + +Enduser attributes capture end user identity. They are likely to contain PII and should be populated, processed, and stored with caution. +Information about the end user is usually available on the client side (in a mobile or browser application). +Enduser attributes are populated by the user application in coordination with OpenTelemetry SDK. +Some OpenTelemetry distributions auto-collect this information from HTTP cookies. +When user information is available, it's RECOMMENDED to add it to all spans and events emitted in the scope +of operation initiated by this user. + +Application in coordination with OpenTelemetry SDK and Distro MAY propagate user information from the client application +to the front end and across different backend services using custom HTTP cookies and/or [Baggage]. + +Enduser information is collected and populated manually by user application or specialized components, +other instrumentations such as HTTP or RPC are not expected to populate these attributes by default. ## General thread attributes diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 970d8bd2bf..053dc7da87 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -2,7 +2,7 @@ groups: - id: identity type: attribute_group brief: > - These attributes may be used for any operation with an authenticated and/or authorized enduser. + Describes end user identity. attributes: - ref: enduser.id requirement_level: recommended diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml index 229f9c85bd..a0a2d6ef9c 100644 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -2,7 +2,7 @@ groups: - id: registry.enduser.deprecated type: attribute_group display_name: Deprecated End User Attributes - brief: "Describes deprecated end user attributes." + brief: "Describes deprecated enduser attributes." attributes: - id: enduser.role type: string @@ -14,9 +14,5 @@ groups: type: string deprecated: "Removed." stability: experimental - brief: > - Scopes or granted authorities the client currently possesses extracted from token - or application security context. The value would come from the scope associated - with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) - or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + brief: "Deprecated, no replacement at this time." examples: 'read:message, write:files' diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 7904843fbe..5146e3b432 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -3,16 +3,16 @@ groups: type: attribute_group display_name: End User Attributes brief: > - Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. + Describes the end user. attributes: - id: enduser.id type: string brief: "Unique identifier of an authenticated user in the system." - examples: [ '' ] - stability: experimental + examples: [ 'username' ] + stability: development - id: enduser.pseudo.id type: string - stability: experimental + stability: development brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] From a96ebb3cf117bb02b4a952c4e6902e24aab6d124 Mon Sep 17 00:00:00 2001 From: heyams Date: Thu, 23 Jan 2025 16:27:22 -0800 Subject: [PATCH 30/34] Update --- .chloggen/add_enduser_pseudo_id.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_pseudo_id.yaml b/.chloggen/add_enduser_pseudo_id.yaml index ae2891ef58..bb73caaa9c 100644 --- a/.chloggen/add_enduser_pseudo_id.yaml +++ b/.chloggen/add_enduser_pseudo_id.yaml @@ -20,4 +20,4 @@ issues: [1104] # These lines will be padded with 2 spaces and then inserted directly into the document. # Use pipe (|) for multiline entries. subtext: | - The new attribute `enduser.pseudo.id` is intended to provide an unique identifier of an authenticated enduser. + The new attribute `enduser.pseudo.id` is intended to provide an unique identifier of a pseudonymous enduser. From e076c4e9b2b529504931ee9382cce83f4984a980 Mon Sep 17 00:00:00 2001 From: heyams Date: Thu, 23 Jan 2025 17:51:26 -0800 Subject: [PATCH 31/34] Update --- docs/general/attributes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/general/attributes.md b/docs/general/attributes.md index c0d1f4b13d..4a38a7a9e6 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -440,7 +440,7 @@ information is required and would not violate any policies or regulations. Enduser attributes capture end user identity. They are likely to contain PII and should be populated, processed, and stored with caution. Information about the end user is usually available on the client side (in a mobile or browser application). -Enduser attributes are populated by the user application in coordination with OpenTelemetry SDK. +Enduser attributes are populated by the user application in coordination with OpenTelemetry SDK. Some OpenTelemetry distributions auto-collect this information from HTTP cookies. When user information is available, it's RECOMMENDED to add it to all spans and events emitted in the scope of operation initiated by this user. From a5a9229fa706fdddbfd0e6bd2497d5e77f4b663b Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 24 Jan 2025 09:24:05 -0800 Subject: [PATCH 32/34] Comment --- model/enduser/deprecated/registry-deprecated.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml index a0a2d6ef9c..81cdd87ee9 100644 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -8,7 +8,7 @@ groups: type: string deprecated: "Removed." stability: experimental - brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + brief: 'Deprecated, no replacement at this time.' examples: 'admin' - id: enduser.scope type: string From 109cf5f4d713e7a5600ee596637d5a04a50befd9 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 24 Jan 2025 09:44:58 -0800 Subject: [PATCH 33/34] Comment --- model/enduser/registry.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 5146e3b432..dc070fa5e4 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -14,5 +14,5 @@ groups: type: string stability: development brief: > - Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. + Pseudonymous identifier of an end user. This identifier should be a random value that is not directly linked or associated with the end user's actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] From e2acca0160cd50a706eb239ea22dcc40faa5465a Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 24 Jan 2025 11:12:08 -0800 Subject: [PATCH 34/34] Revert a newline as it was introduced during merging conflicts --- .github/ISSUE_TEMPLATE/new-conventions.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index b361201de0..f1daf6eac4 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -12,6 +12,7 @@ body: and usually require a group of people who are familiar with the domain, are involved with instrumentation efforts, and are committed to be the point of contact for pull requests, issues, and questions in this area. + Creating a new issue here is a great first step to find others interested in collaborating. - type: textarea attributes: