Obfuscate personal data in Prometheus (#2029)

* Introduce personal data censoring * Update values.yaml * Guard censored flows iteration * Fix env passing * Loop improvement
kyma-incubator · Sep 23, 2021 · 1c732d9 · 1c732d9
1 parent 230dc7f
commit 1c732d9
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/chart/compass/charts/director/templates/deployment.yaml b/chart/compass/charts/director/templates/deployment.yaml
@@ -75,6 +75,8 @@ spec:
               value: "0.0.0.0:{{ .Values.global.director.metrics.port }}"
             - name: APP_METRICS_ENABLE_CLIENT_ID_INSTRUMENTATION
               value: "{{ .Values.global.director.metrics.enableClientInstrumentation }}"
+            - name: APP_METRICS_CENSORED_FLOWS
+              value: "{{ .Values.global.director.metrics.censoredFlows }}"
             - name: APP_PLAYGROUND_API_ENDPOINT
               value: "{{ .Values.global.director.prefix }}/graphql"
             - name: APP_JWKS_ENDPOINT

diff --git a/chart/compass/values.yaml b/chart/compass/values.yaml
@@ -75,7 +75,7 @@ global:
       version: "PR-2003"
     director:
       dir:
-      version: "PR-2026"
+      version: "PR-2029"
     gateway:
       dir:
       version: "PR-2003"
@@ -131,6 +131,7 @@ global:
     metrics:
       port: 3003
       enableClientInstrumentation: true
+      censoredFlows: "JWT"
     operations:
       port: 3002
       path: "/operation"

diff --git a/components/director/internal/metrics/collector.go b/components/director/internal/metrics/collector.go
@@ -1,6 +1,8 @@
 package metrics
 
 import (
+	"crypto/sha256"
+	"fmt"
 	"net/http"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -9,7 +11,8 @@ import (
 
 // Config configures the behaviour of the metrics collector.
 type Config struct {
-	EnableClientIDInstrumentation bool `envconfig:"default=true,APP_METRICS_ENABLE_CLIENT_ID_INSTRUMENTATION"`
+	EnableClientIDInstrumentation bool     `envconfig:"default=true,APP_METRICS_ENABLE_CLIENT_ID_INSTRUMENTATION"`
+	CensoredFlows                 []string `envconfig:"APP_METRICS_CENSORED_FLOWS"`
 }
 
 // Collector missing godoc
@@ -99,6 +102,16 @@ func (c *Collector) InstrumentClient(clientID, authFlow, details string) {
 		return
 	}
 
+	if len(c.config.CensoredFlows) > 0 {
+		for _, censoredFlow := range c.config.CensoredFlows {
+			if authFlow == censoredFlow {
+				clientIDHash := sha256.Sum256([]byte(authFlow))
+				clientID = fmt.Sprintf("%x", clientIDHash)
+				break
+			}
+		}
+	}
+
 	c.clientTotal.With(prometheus.Labels{
 		"client_id": clientID,
 		"auth_flow": authFlow,