From 3adaac281c21480c53dfa00db4eb7bbbbe835599 Mon Sep 17 00:00:00 2001
From: Joao Grassi <5938087+joaopgrassi@users.noreply.github.com>
Date: Wed, 27 Mar 2024 17:48:13 +0100
Subject: [PATCH] [chore] Move end user attributes to the registry (#844)

---
 .github/ISSUE_TEMPLATE/bug_report.yaml      |  1 +
 .github/ISSUE_TEMPLATE/change_proposal.yaml |  1 +
 .github/ISSUE_TEMPLATE/new-conventions.yaml |  1 +
 docs/attributes-registry/README.md          |  1 +
 docs/attributes-registry/enduser.md         | 10 +++++++
 docs/general/attributes.md                  |  6 ++---
 model/general.yaml                          | 29 +++++----------------
 model/registry/enduser.yaml                 | 29 +++++++++++++++++++++
 8 files changed, 52 insertions(+), 26 deletions(-)
 create mode 100644 docs/attributes-registry/enduser.md
 create mode 100644 model/registry/enduser.yaml

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml
index 16b2187e2..4c7e81a5d 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -31,6 +31,7 @@ body:
         - area:device
         - area:disk
         - area:dns
+        - area:enduser
         - area:error
         - area:exception
         - area:faas
diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml
index 269d42eda..c2c40ec74 100644
--- a/.github/ISSUE_TEMPLATE/change_proposal.yaml
+++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml
@@ -24,6 +24,7 @@ body:
         - area:device
         - area:disk
         - area:dns
+        - area:enduser
         - area:error
         - area:exception
         - area:faas
diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml
index 8c4df4f09..311ee512c 100644
--- a/.github/ISSUE_TEMPLATE/new-conventions.yaml
+++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml
@@ -33,6 +33,7 @@ body:
         - area:device
         - area:disk
         - area:dns
+        - area:enduser
         - area:error
         - area:exception
         - area:faas
diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md
index 187f3847e..a1fb7a30f 100644
--- a/docs/attributes-registry/README.md
+++ b/docs/attributes-registry/README.md
@@ -38,6 +38,7 @@ Currently, the following namespaces exist:
 * [Destination](destination.md)
 * [Device](device.md)
 * [Disk](disk.md)
+* [End user](enduser.md)
 * [Error](error.md)
 * [Exception](exception.md)
 * [FaaS](faas.md)
diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md
new file mode 100644
index 000000000..f8be2f369
--- /dev/null
+++ b/docs/attributes-registry/enduser.md
@@ -0,0 +1,10 @@
+# End User
+
+## End User Attributes
+<!-- semconv registry.enduser(omit_requirement_level) -->
+| Attribute  | Type | Description  | Examples  |
+|---|---|---|---|
+| `enduser.id` | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` |
+| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` |
+| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` |
+<!-- endsemconv -->
diff --git a/docs/general/attributes.md b/docs/general/attributes.md
index d809f56ad..9a74f6807 100644
--- a/docs/general/attributes.md
+++ b/docs/general/attributes.md
@@ -311,9 +311,9 @@ These attributes may be used for any operation with an authenticated and/or auth
 <!-- semconv identity -->
 | Attribute  | Type | Description  | Examples  | Requirement Level |
 |---|---|---|---|---|
-| `enduser.id` | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | Recommended |
-| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | Recommended |
-| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | Recommended |
+| [`enduser.id`](../attributes-registry/enduser.md) | string | Username or client_id extracted from the access token or [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2) header in the inbound request from outside the system. | `username` | Recommended |
+| [`enduser.role`](../attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | Recommended |
+| [`enduser.scope`](../attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | Recommended |
 <!-- endsemconv -->
 
 These attributes describe the authenticated user driving the user agent making requests to the instrumented
diff --git a/model/general.yaml b/model/general.yaml
index ec38d6e8d..23ec6cd32 100644
--- a/model/general.yaml
+++ b/model/general.yaml
@@ -41,33 +41,16 @@ groups:
           resource attribute of the remote service if any.
         examples: "AuthTokenCache"
   - id: identity
-    prefix: enduser
     type: span
     brief: >
       These attributes may be used for any operation with an authenticated and/or authorized enduser.
     attributes:
-      - id: id
-        type: string
-        stability: experimental
-        brief: >
-          Username or client_id extracted from the access token or
-          [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2)
-          header in the inbound request from outside the system.
-        examples: 'username'
-      - id: role
-        type: string
-        stability: experimental
-        brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
-        examples: 'admin'
-      - id: scope
-        type: string
-        stability: experimental
-        brief: >
-          Scopes or granted authorities the client currently possesses extracted from token
-          or application security context. The value would come from the scope associated
-          with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
-          or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
-        examples: 'read:message, write:files'
+      - ref: enduser.id
+        requirement_level: recommended
+      - ref: enduser.role
+        requirement_level: recommended
+      - ref: enduser.scope
+        requirement_level: recommended
   - id: thread
     type: span
     brief: >
diff --git a/model/registry/enduser.yaml b/model/registry/enduser.yaml
new file mode 100644
index 000000000..656f36d68
--- /dev/null
+++ b/model/registry/enduser.yaml
@@ -0,0 +1,29 @@
+groups:
+  - id: registry.enduser
+    prefix: enduser
+    type: attribute_group
+    brief: >
+      This document defines attributes for operations with an authenticated and/or authorized enduser.
+    attributes:
+      - id: id
+        type: string
+        stability: experimental
+        brief: >
+          Username or client_id extracted from the access token or
+          [Authorization](https://tools.ietf.org/html/rfc7235#section-4.2)
+          header in the inbound request from outside the system.
+        examples: 'username'
+      - id: role
+        type: string
+        stability: experimental
+        brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
+        examples: 'admin'
+      - id: scope
+        type: string
+        stability: experimental
+        brief: >
+          Scopes or granted authorities the client currently possesses extracted from token
+          or application security context. The value would come from the scope associated
+          with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
+          or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
+        examples: 'read:message, write:files'