[chore] Move end user attributes to the registry (#844)

2024-03-27 17:48:13 +01:00 · 2024-03-27 17:48:13 +01:00 · 3adaac281c
parent 6bbc74de66
commit 3adaac281c
8 changed files with 52 additions and 26 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@ -31,6 +31,7 @@ body:
        - area:device
        - area:disk
        - area:dns
+        - area:enduser
        - area:error
        - area:exception
        - area:faas
--- a/.github/ISSUE_TEMPLATE/change_proposal.yaml
+++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml
@ -24,6 +24,7 @@ body:
        - area:device
        - area:disk
        - area:dns
+        - area:enduser
        - area:error
        - area:exception
        - area:faas
--- a/.github/ISSUE_TEMPLATE/new-conventions.yaml
+++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml
@ -33,6 +33,7 @@ body:
        - area:device
        - area:disk
        - area:dns
+        - area:enduser
        - area:error
        - area:exception
        - area:faas
--- a/docs/attributes-registry/README.md
+++ b/docs/attributes-registry/README.md
@ -38,6 +38,7 @@ Currently, the following namespaces exist:
 * [Destination](destination.md)
 * [Device](device.md)
 * [Disk](disk.md)
+* [End user](enduser.md)
 * [Error](error.md)
 * [Exception](exception.md)
 * [FaaS](faas.md)
--- a/docs/attributes-registry/enduser.md
+++ b/docs/attributes-registry/enduser.md
@ -0,0 +1,10 @@
+# End User
+
+## End User Attributes
+<!-- semconv registry.enduser(omit_requirement_level) -->
+| Attribute  | Type | Description  | Examples  |
+|---|---|---|---|
+| `enduser.id` | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` |
+| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` |
+| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` |
+<!-- endsemconv -->
--- a/docs/general/attributes.md
+++ b/docs/general/attributes.md
@ -311,9 +311,9 @@ These attributes may be used for any operation with an authenticated and/or auth
 <!-- semconv identity -->
 | Attribute  | Type | Description  | Examples  | Requirement Level |
 |---|---|---|---|---|
-| `enduser.id` | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | Recommended |
-| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | Recommended |
-| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | Recommended |
+| [`enduser.id`](../attributes-registry/enduser.md) | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | Recommended |
+| [`enduser.role`](../attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | Recommended |
+| [`enduser.scope`](../attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | Recommended |
 <!-- endsemconv -->

 These attributes describe the authenticated user driving the user agent making requests to the instrumented
--- a/model/general.yaml
+++ b/model/general.yaml
@ -41,33 +41,16 @@ groups:
          resource attribute of the remote service if any.
        examples: "AuthTokenCache"
  - id: identity
-    prefix: enduser
    type: span
    brief: >
      These attributes may be used for any operation with an authenticated and/or authorized enduser.
    attributes:
-      - id: id
-        type: string
-        stability: experimental
-        brief: >
-          Username or client_id extracted from the access token or
-          [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2)
-          header in the inbound request from outside the system.
-        examples: 'username'
-      - id: role
-        type: string
-        stability: experimental
-        brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
-        examples: 'admin'
-      - id: scope
-        type: string
-        stability: experimental
-        brief: >
-          Scopes or granted authorities the client currently possesses extracted from token
-          or application security context. The value would come from the scope associated
-          with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
-          or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
-        examples: 'read:message, write:files'
+      - ref: enduser.id
+        requirement_level: recommended
+      - ref: enduser.role
+        requirement_level: recommended
+      - ref: enduser.scope
+        requirement_level: recommended
  - id: thread
    type: span
    brief: >
--- a/model/registry/enduser.yaml
+++ b/model/registry/enduser.yaml
@ -0,0 +1,29 @@
+groups:
+  - id: registry.enduser
+    prefix: enduser
+    type: attribute_group
+    brief: >
+      This document defines attributes for operations with an authenticated and/or authorized enduser.
+    attributes:
+      - id: id
+        type: string
+        stability: experimental
+        brief: >
+          Username or client_id extracted from the access token or
+          [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2)
+          header in the inbound request from outside the system.
+        examples: 'username'
+      - id: role
+        type: string
+        stability: experimental
+        brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
+        examples: 'admin'
+      - id: scope
+        type: string
+        stability: experimental
+        brief: >
+          Scopes or granted authorities the client currently possesses extracted from token
+          or application security context. The value would come from the scope associated
+          with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
+          or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
+        examples: 'read:message, write:files'