Closed katylava closed 7 years ago
Our motivation has to do with a strong policy around protecting user data. We want our logging aggregation systems (we're using loggly) to be accessible to developers and front-line support but we also want to be able to say that we don't share user data with anyone, including internal employees.
One of the ways that user data leaks out of a system is if a developer includes it in a log. For example, if we decided that a user's name was sensitive, we'd want to ensure that our logs contained an opaque user_id
, never the user name.
The implementation approaches this in two ways:
extra
dictionary)extra
dictionaryNote that this doesn't prevent developers from doing something like:
extra=dict(
user_id=user.name,
)
But at least once you get to that point you have a straightforward story around code review, PRs, documented policies, and common sense that will hold up to scrutiny.
Thanks, that is very helpful.
Can I get some background on how this helps. Especially with regards to using the whitelist feature -- it seems weird to have to whitelist every variable you want to log for context. I'm thinking of implementing this extension in one of my work projects, but I would need to justify it.