Add filtering capabilities for Sidekiq job argument collection

[hannahramadan]

The agent's Sidekiq instrumentation has the ability to capture Sidekiq job arguments, which become attributes on transaction traces and traced errors. By default, this configuration option is turned off in case job arguments contain sensitive information (docs). This feature can be turned on by adding the string job.sidekiq.args.* to the attributes.include array inside newrelic.yml.

The current implementation offers an all-or-nothing approach—either all job arguments are captured or none are. job.sidekiq.args.* is the only Sidekiq-related value that attributes.include respects, and any added to attributes.exclude are ignored.

newrelic-ruby-agent/lib/new_relic/agent/instrumentation/sidekiq/server.rb

Lines 20 to 25 in 7f38c1d

	perform_action_with_newrelic_trace(trace_args) do
	NewRelic::Agent::Transaction.merge_untrusted_agent_attributes(msg['args'], :'job.sidekiq.args',
	NewRelic::Agent::AttributeFilter::DST_NONE)
	::NewRelic::Agent::DistributedTracing::accept_distributed_trace_headers(trace_headers, 'Other') if ::NewRelic::Agent.config[:'distributed_tracing.enabled'] && trace_headers&.any?
	yield

We should explore adding more advanced filtering capabilities to give customers greater control over which Sidekiq job arguments should or shouldn't be collected.

[workato-integration]

https://issues.newrelic.com/browse/NR-148385

[fallwith]

The capabilities requested will be available in the next agent release.

[fallwith]

The changes delivered by #2177 are now generally available in v9.5.0 of the Ruby agent available for download from RubyGems.org.

[lcmen]

@fallwith thank you for this. Quick question: with this new feature in place, does attributes.exclude support regex expressions the same way as sidekiq.args.exclude?

I would like to exclude sending sensitive parameters (e.g. request.parameters.user.password, request.parameters.employee.password, etc.) with single regex. However exclude option with request.parameters.*password$ does not work for me on the latest release. (documentation mentions only wildcard support like request.parameters.users.*).

[fallwith]

@fallwith thank you for this. Quick question: with this new feature in place, does attributes.exclude support regex expressions the same way as sidekiq.args.exclude?

I would like to exclude sending sensitive parameters (e.g. request.parameters.user.password, request.parameters.employee.password, etc.) with single regex. However exclude option with request.parameters.*password$ does not work for me on the latest release. (documentation mentions only wildcard support like request.parameters.users.*).

Hi @lcmen. The attributes.exclude functionality was not updated with the new v9.5.0 gem release, so attributes.exclude continues to only support the wildcard (*) functionality you referenced and not regex.

As of v9.5.0 regex support for filtering is limited to the Ruby specific Sidekiq and Stripe instrumentation. We wanted to be very careful to not alter existing attributes.include and attributes.exclude functionality to avoid breaking compatibility with existing Ruby customer usage and to maintain alignment of their functionality with New Relic agents in other languages for consistency in multilingual environments.

Based on the feedback and usage of the new regex filtering for Sidekiq and Stripe, we may very well bring regex filtering to other parts of the agent. The regex support for those two instrumentations works in conjunction with the attributes.include and attributes.exclude functionality with both filters being respected, so it's possible that we could do something similar in future for request parameters by adding an extra, regex based layer of filtering in the same way.

If you'd like to see that or anything else done with the agent, we welcome feature requests (link: create a feature request) and PRs here in GitHub.

I appreciate your reaching out, thanks!

[lcmen]

@fallwith thank you for such detailed explenation. I really appreciate that 🙇 .