RUBY-3831 Skip OpenTelemetry command spans for sensitive commands#3038
Merged
comandeo-mongo merged 1 commit intomongodb:masterfrom May 7, 2026
Merged
Conversation
The OpenTelemetry tracing spec requires drivers to skip command spans for sensitive commands listed in the Command Logging and Monitoring spec, so that auth payloads (SCRAM proofs, cleartext passwords, saslStart/saslContinue payloads, speculativeAuthenticate) are never emitted as span attributes. Reuses Mongo::Monitoring::Event::Secure for the redaction set. Hello / legacy hello commands are also skipped to keep handshake traffic out of traces.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the driver’s OpenTelemetry command tracing to avoid creating any command spans for sensitive/authentication-related commands (per spec security requirements), and to also omit hello/legacy handshake commands from tracing to prevent noisy/irrelevant spans and any risk of credential leakage via span attributes (notably db.query.text).
Changes:
- Short-circuit
CommandTracer#trace_commandto skip span creation entirely for sensitive commands (using the existingMongo::Monitoring::Event::Securesensitive-command logic) and always skiphello/ismaster/isMaster. - Add spec coverage asserting no spans/context are created for sensitive and hello/legacy hello commands while still yielding and returning the block result.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| lib/mongo/tracing/open_telemetry/command_tracer.rb | Skip OpenTelemetry command spans for sensitive commands and for hello/legacy hello, while still executing the command block. |
| spec/mongo/tracing/open_telemetry/command_tracer_spec.rb | Add tests confirming spans and OTEL context are not entered for skipped commands, and that the traced block still runs/returns normally. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jamis
approved these changes
May 5, 2026
This was referenced May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
RUBY-3831.
The OpenTelemetry command tracer JSON-serialized the entire command body into the
db.query.textspan attribute (excluding onlylsid,$db,$clusterTime,signature). Auth commands (saslStart,saslContinue,createUser,updateUser, …) carry SCRAM proofs and cleartext passwords, so enablingOTEL_RUBY_INSTRUMENTATION_MONGODB_QUERY_TEXT_MAX_LENGTH > 0would have leaked credentials to any tracing backend.Per the OpenTelemetry tracing spec (
specifications/source/open-telemetry/open-telemetry.mdlines 216-217 and the Security Implication section), drivers MUST NOT create a command span for sensitive commands at all — attribute-level redaction is not enough. The sensitive list is the same one already enforced byMongo::Monitoring::Event::Secure.Changes
lib/mongo/tracing/open_telemetry/command_tracer.rb: includeMongo::Monitoring::Event::Secureand short-circuittrace_commandwhen the command is sensitive (no span is created, the block still runs and its return value is propagated). Also skiphello/ legacyhelloregardless ofspeculativeAuthenticate— handshake/heartbeat traffic does not belong in traces.spec/mongo/tracing/open_telemetry/command_tracer_spec.rb: add coverage asserting thatstart_spanandOpenTelemetry::Trace.with_spanare NOT invoked for each sensitive command, forhello/ismaster/isMasterwith and withoutspeculativeAuthenticate, while the block still runs and its result is returned.Test plan
bundle exec rubocop lib/mongo/tracing/open_telemetry/command_tracer.rb spec/mongo/tracing/open_telemetry/command_tracer_spec.rb— cleanMONGODB_URI=mongodb://localhost:27017,localhost:27018,localhost:27019/ bundle exec rspec spec/mongo/tracing/open_telemetry/command_tracer_spec.rb— 115 examples, 0 failuresMONGODB_URI=… bundle exec rspec spec/mongo/tracing/open_telemetry/operation_tracer_spec.rb— 45 examples, 0 failures (regression check)