-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow certain response headers coming from AzurePipelinesCredential to be logged #5992
Comments
QQ: Which customers are asking for this and what are the semantics of these two headers? If this is only a single customer, would it be better to allow the customer to add them to the allow list themselves rather than making a global change which affects all customers? |
This is coming from the Azure Pipelines team, since that info is useful for them to track down and debug service issues or questions that customers might report. Most logging of the SDK is there to provide sufficient information to service teams and CSAs to help troubleshoot issues that customers might report, so such requests don't typically come directly from end customers. In this case, we don't expect or want end users to have to enable logging of certain headers that are necessary for troubleshooting, after an issue has occurred, retry repro-ing, and submitting more info. This isn't a customer facing customization. For headers that are safe to log, and are necessary for troubleshooting, it is a good idea to log them pre-emptively. The service team can better answer the question about what the header semantics are, but I don't think that detail is necessary for our purposes (and could vary from service to service). The open questions we're diving into with the service team, are:
That said, we could consider allowing these headers to be logged only in identity, or only for this credential type by having the internal implementation add to the loggable headers, rather than adding them to the global list of headers that are logged by all SDK clients. |
In general, I'm quite leery of adding service-specific headers to the set of global inclusions. This is explicitly why we allow service clients (and identity clients fall into this category) to specify service client specific exceptions. Storage does this extensively example. |
These two response headers are useful for the service team to debug and diagnose issues, and hence it is requested that we do log them. For example, the e2e id is needed to understand the behavior observed in #5786 / #5875
We decided, other than logging them, to also add these header values to the exception message that is thrown, so they are always visible, even with logging disabled.
Given our logged headers are based on an allow list, currently these two headers are REDACTED.
azure-sdk-for-cpp/sdk/core/azure-core/src/http/log_policy.cpp
Lines 73 to 105 in 639fc9f
The open questions we're diving into with the service team, are:
x-vss-e2eid
,activityid
,x-msedge-ref
,x-tfs-session
x-vss-e2eid
,x-msedge-ref
x-vss-*
headers safe to log and ones only used/needed by them?x-vss-e2eid
is used by ADO, butx-msedge-ref
andactivityid
might be used by others.Tracking issues across languages:
Azure/azure-sdk-for-net#45993
Azure/azure-sdk-for-java#41871
Azure/azure-sdk-for-go#23444
Azure/azure-sdk-for-js#31130
Azure/azure-sdk-for-python#37412
cc @manolerazvan, @geekzter, @kboom
The text was updated successfully, but these errors were encountered: