Problem:
We need to be GDPR compliant so the user ID must not be stored in observability data (neither cloud logging nor SAP Cloud ALM). Would it be possible in addition to otel.resource.disabled.keys to add a configuration option for spans and the user@id field? I guess this is a standard problem, which nearly every project will face.
Details:
For some of our spans in our traces contains span.attributes.user@id populated with the authenticated user's ID (XSUAA JWT subject). Example span (JDBC client, instrumentationScope.name: io.opentelemetry.jdbc):
"span.attributes.user@id": "I51xxx",
"span.attributes.db@statement": "SELECT ...",
"span.attributes.db@system": "hanadb"
The attribute appears on different span kinds (SERVER, CLIENT, INTERNAL) across different instrumentation scopes — Tomcat, JDBC, java-http-client. The CDS instrumentation scope (com.sap.cds) is the only one that doesn't carry it. This suggests the SAP
extension reads the user from the inbound JWT and propagates it into all child spans via context.
Setup
We're running a Spring Boot 3.5 / CAP Java app on SAP BTP Cloud Foundry with the SAP Java Buildpack. The buildpack automatically attaches the OpenTelemetry Java agent alongside its proprietary extension:
-javaagent:META-INF/.sap_java_buildpack/otel_agent/opentelemetry-javaagent.jar
-Dotel.javaagent.extensions=META-INF/.sap_java_buildpack/otel_agent_extension/otel-agent-ext-java.jar
Traces are exported to SAP Cloud Logging (otel.traces.exporter=cloud-logging), distro version 2.27 and to SAP CALM.
Alternative Solution
We would need to implement a custom span processor, store it centrally as a jar and then add it to all our CAP projects / pipelines. As we assume many customers and internal stake holder will encounter this issue we want to raise the awareness and ask if it could be solved centrally.
SAP Internal STACK Question
No.: 93716, Title: How to suppress user@id span attribute injected by SAP Java Buildpack OTEL extension (otel-agent-ext-java)
Problem:
We need to be GDPR compliant so the user ID must not be stored in observability data (neither cloud logging nor SAP Cloud ALM). Would it be possible in addition to otel.resource.disabled.keys to add a configuration option for spans and the user@id field? I guess this is a standard problem, which nearly every project will face.
Details:
For some of our spans in our traces contains span.attributes.user@id populated with the authenticated user's ID (XSUAA JWT subject). Example span (JDBC client, instrumentationScope.name: io.opentelemetry.jdbc):
"span.attributes.user@id": "I51xxx",
"span.attributes.db@statement": "SELECT ...",
"span.attributes.db@system": "hanadb"
The attribute appears on different span kinds (SERVER, CLIENT, INTERNAL) across different instrumentation scopes — Tomcat, JDBC, java-http-client. The CDS instrumentation scope (com.sap.cds) is the only one that doesn't carry it. This suggests the SAP
extension reads the user from the inbound JWT and propagates it into all child spans via context.
Setup
We're running a Spring Boot 3.5 / CAP Java app on SAP BTP Cloud Foundry with the SAP Java Buildpack. The buildpack automatically attaches the OpenTelemetry Java agent alongside its proprietary extension:
-javaagent:META-INF/.sap_java_buildpack/otel_agent/opentelemetry-javaagent.jar
-Dotel.javaagent.extensions=META-INF/.sap_java_buildpack/otel_agent_extension/otel-agent-ext-java.jar
Traces are exported to SAP Cloud Logging (otel.traces.exporter=cloud-logging), distro version 2.27 and to SAP CALM.
Alternative Solution
We would need to implement a custom span processor, store it centrally as a jar and then add it to all our CAP projects / pipelines. As we assume many customers and internal stake holder will encounter this issue we want to raise the awareness and ask if it could be solved centrally.
SAP Internal STACK Question
No.: 93716, Title: How to suppress user@id span attribute injected by SAP Java Buildpack OTEL extension (otel-agent-ext-java)