|
| 1 | +# Handle Untrusted Requests |
| 2 | + |
| 3 | +This document is about how to handle untrusted requests for trace and tags. |
| 4 | + |
| 5 | +## What is an untrusted request? |
| 6 | +An untrusted request refers to a request coming from an external untrusted source (e.g. external |
| 7 | +customer request). |
| 8 | + |
| 9 | +## How does OpenCensus know if a request is trusted or not? |
| 10 | +The OpenCensus library does not have a mechanism to determine if an incoming request is trusted |
| 11 | +or not, because of this the application owner should configure the library accordingly. |
| 12 | + |
| 13 | +The OpenCensus library should allow to configure this information in the server plugins (grpc, |
| 14 | +http) for each server instance. |
| 15 | + |
| 16 | +## Why not trusting all the requests? |
| 17 | +For trace we do not trust the incoming requests (trace headers) because: |
| 18 | +* Users can send always sampled requests all the time (by mistake, or malicious user). |
| 19 | +* Users can send always the same trace id (e.g. malicious user). |
| 20 | + |
| 21 | +For tags we do not trust the incoming requests (tags headers) because: |
| 22 | +* Users can send PII data (by mistake). |
| 23 | +* Users can send garbage data (e.g. malicious user). |
| 24 | + |
| 25 | +These are only few examples why trusting the incoming trace and tags headers may cause problems |
| 26 | +when the request comes from an untrusted client. |
| 27 | + |
| 28 | +## What to do with trace headers from an untrusted request? |
| 29 | +When received an untrusted request the library should do the following: |
| 30 | +* Start a new trace (generate a new trace id) and apply the default sampling rate or allow users |
| 31 | +to configure the sampling rate (downside of allowing users to set a specific sampling rate is the |
| 32 | +fact that they cannot change this easily at runtime via [TraceConfig](../trace/TraceConfig.md)). |
| 33 | +* Use the incoming trace header (trace_id, span_id) to record a [Link][SpanDataModel] to the newly |
| 34 | +created `Span`. |
| 35 | + |
| 36 | +Because of the lower probability to have both incoming request and the the newly generated trace |
| 37 | +sampled at the same time, the library should have a way to pass the trusting information to the |
| 38 | +`Sampler` interface to allow users to implement smart Samplers (e.g. high sampling probability if |
| 39 | +the incoming untrusted request is sampled). |
| 40 | + |
| 41 | +// DO_NOT_SUBMIT: take feedback what is better 2 default samplers in TraceConfig (one for trusted |
| 42 | +ond for untrusted) or pass the untrusted bit to the sampler (this may have the problem that |
| 43 | +ProbabilitySamplers will have multiple sampled probabilities 1 for trusted requests 1 for |
| 44 | +untrusted sampled requests 1 for untrusted not-sampled requests). |
| 45 | + |
| 46 | +## What to do with tags headers from an untrusted request? |
| 47 | +The simplest solution to implement is to drop all the incoming tags, but there may be cases where |
| 48 | +users may want to propagate only some of the tags. The initial version of this should simply drop |
| 49 | +all the tags, but later when better filters are defined the library should allow users to |
| 50 | +configure what tags to accept. |
| 51 | + |
| 52 | +[SpanDataModel]: https://github.com/census-instrumentation/opencensus-proto/blob/master/opencensus/proto/trace/trace.proto |
0 commit comments