search

open-feature / ofep

A focal point for OpenFeature research, proposals and requests for comments
https://openfeature.dev
20 stars 15 forks source link

OFEP: surfacing flag metadata #35

Closed moredip closed 1 year ago

moredip commented 1 year ago

This is still an early draft - opening up a PR for discussion

dabeeeenster commented 1 year ago

I wonder if it is worth making preparations for secure/sensitive and non-secure/benign meta data? Something like an evaluation timestamp might be treated in a different way to a management or internal system URL. My worry would be that sensitive metadata then starts getting logged/surfaced without the knowledge or explicit approval of the developer.

I've not used OpenTelemetry - does it handle this sort of thing or not?

moredip commented 1 year ago

I wonder if it is worth making preparations for secure/sensitive and non-secure/benign meta data? Something like an evaluation timestamp might be treated in a different way to a management or internal system URL. My worry would be that sensitive metadata then starts getting logged/surfaced without the knowledge or explicit approval of the developer.

I've not used OpenTelemetry - does it handle this sort of thing or not?

AFAIK otel doesn't support this feature, and IIRC it's actually causes some security issues with baggage that is accidentally propagated outside of internal otel tooling into 3rd party systems. For example, you call into a SaaS provider's APIs, and you get back a response with baggage describing the internal state of their system 😬

However, I still feel that this is really more the responsibility of the provider to decide whether it should send sensitive metadata to the client or not. For client-side code anything you put on the wire is going to be available regardless, so seems to me that as a provider you'd be forced to just never put that metadata on the wire.

beeme1mr commented 1 year ago

@moredip, would you be able to resolve the conversations that have been addressed? I would like to address any outstanding concerns and try and get this merged soon.

moredip commented 1 year ago

@moredip, would you be able to resolve the conversations that have been addressed? I would like to address any outstanding concerns and try and get this merged soon.

@beeme1mr I marked all conversations here as resolved. LMK if there's anything else you need me to do from my end to move this forward.

toddbaert commented 1 year ago

I really like the proposal as well. I think the same flag metadata might also be optionally provided in events, such as ConfigurationChanged events mentioned in the eventing OFEP as well.