jessemyers
commented
7 years ago Our motivation has to do with a strong policy around protecting user data. We want our logging aggregation systems (we're using loggly) to be accessible to developers and front-line support but we also want to be able to say that we don't share user data with anyone, including internal employees.
One of the ways that user data leaks out of a system is if a developer includes it in a log. For example, if we decided that a user's name was sensitive, we'd want to ensure that our logs contained an opaque user_id, never the user name.
The implementation approaches this in two ways:
- By trying to prevent the use of string concatenation in logs (vs explicit variable passing in the standard logging
extradictionary) - By providing an (optional) mechanism for whitelisting which field names may appear in the
extradictionary
Note that this doesn't prevent developers from doing something like:
extra=dict(
user_id=user.name,
)But at least once you get to that point you have a straightforward story around code review, PRs, documented policies, and common sense that will hold up to scrutiny.
katylava
Can I get some background on how this helps. Especially with regards to using the whitelist feature -- it seems weird to have to whitelist every variable you want to log for context. I'm thinking of implementing this extension in one of my work projects, but I would need to justify it.