feat: add SuggestionRequest to tracing logs #179
Conversation
I'm a little skiddish about this, because search terms are VERY sensitive information, but I understand the need for it for testing. |
I totally understand it and share the concern! It would be interesting to hear from @mythmon how he thought about using this feature. Also please note that search queries are already leaked (if I'm not wrong).
I believe we can do either or both! :-D Maybe we could only allow this if we're in 'debug' mode, or add a check in the deployment logic to fail deployment on prod if this is turned on? @mythmon , what do you think of this feature? Did you expect it to behave differently when writing the ticket? |
This is not a testing feature. We are intentionally planning to log these in production for real users. They are very sensitive, but we are going to be treating all of Merino's logs as sensitive, and handling them appropriately. In short, the data pipeline is going to consume these logs, sanitize them, and aggregate them in a very tightly controlled environment. |
Ah. In that case, we might want to add that as a comment above the option description, ideally with pointers to the code where we sanitize the logs. We're building trust, so we should be certain to provide a way to verify. |
Ah, I thought we settled for the all-but-search queries as sensitive, so that engineers could use non sensitive logs to help debug? |
It's still up in the air, but I expect we will have sanitized versions of these logs that engineers can use to debug that are still representative of user behavior. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new setting should be added to the Operational documentation in docs/ops.md
.
While the object is always logged in the tracing logs, the log_full_request setting controls whether or not to log the query string as well or replace it with an empty string.
3ec64e0
to
803ff69
Compare
While the object is always logged in the tracing logs, the log_full_request setting controls whether or not to log the query string as well or replace it with an empty string.
Important note: this PR additionally adds
request
to the skip list of the tracing instrument, since the Http request would end up logging the raw query string from there.With the option off (default):
With the option on:
Fixes #171