1.13.0

Automated User Login Events for AppSec (Click to expand for more information)

Starting from ddtrace version 1.13.0, Automated User Login Events are enabled by default and currently only available for Devise.

What to expect from Automated User Login Events?

When enabled, any login or signup events will be automatically monitored. We will fill in the span with information extracted from the event.

Modes

The Automated User Login Events are configured to run in "safe" mode by default.

Safe mode focuses on preventing personally identifiable information (PII) from being reported. During safe mode, we only extract the ID from the user object. We report only IDs in the GUID format to avoid disclosing private information. In cases where IDs are not GUID, events will be reported without metadata.

Here is an example of a login event in safe mode:

{
  "appsec.events.users.login.success.track" => true,
  "usr.id" => "5ff35d04-445a-4d00-b6f1-31960153eaf6"
}

Automated User Login Events also provide an "extended" mode.

The extended mode aims to extract the maximum amount of information from the user. In extended mode, we report the ID regardless of its format and try to extract the user's email and username. Depending on the user application, we may be able to extract the user's email and username.

Here is an example of a login event in extended mode:

{
  "appsec.events.users.login.success.track" => true,
  "appsec.events.users.login.success.email" => "john@doe.com",
  "appsec.events.users.login.success.username" => "John Doe",
  "usr.id" => "5ff35d04-445a-4d00-b6f1-31960153eaf6"
}

In cases where safe or extended mode is unable to extract information, we encourage users to manually monitor user login events using our public API.

How to configure Automated User Login Events:

• Use DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING to disable or change the mode.
  • To disable, use DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING=disable.
  • To change the mode, use DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING=safe|extended.
• Add to your Datadog.configure block to configure via code:

Datadog.configure do |c|
  c.appsec.track_user_events.enabled = true | false
  c.appsec.track_user_events.mode = "safe" | "extended"
end

Configuration options are now type checked (Click to expand for details)

Starting with ddtrace 1.13, configuration values are type checked when ddtrace is starting up.

In older versions, when setting configuration via Datadog.configure, no validation was performed on values. We've found this could lead to misleading or incorrect configurations, where something seems to be accepted but then did not work as expected. To address this, type checking is now applied to make sure settings are correct.

We've tested this extensively and don't expect this to impact correct configuration setups.

But, if you do have an incorrect configuration, this will now be flagged using an ArgumentError that includes a descriptive message for the setting name and the expected type.

Alternatively, we've provided a way to skip the type checking, by setting the Environment variable DD_EXPERIMENTAL_SKIP_CONFIGURATION_VALIDATION=true. We don't recommend using this option, since it hides configuration problems and thus may lead to ddtrace misbehaving.

As usual, your feedback is welcome -- let us know if we missed anything.

(Feature added in #2983, #2987, #2998 and #2999)

Added

• Core: Add support for Option precedence (#2915)
• Core: Add support for unsetting options (#2972)
• Core: Gauge primitive RubyVM::YJIT.runtime_stats, if YJIT is enabled (#2711, #2959)
• Core: Add Telemetry app-client-configuration-change event (#2977)
• Core: Improve our SafeDup module (#2960)
• Tracing: Add OpenSearch Integration (#2940)
• Tracing: Implement peer.service tag to integrations (#2982)
• Tracing: Add mandatory rpc and grpc tags for grpc integration (#2620, #2962)
• Tracing: Include _dd.profiling.enabled tag (#2913)
• Tracing: Support host injection (#2941, #3007)
• Tracing: Implement Dynamic Configuration for tracing (#2848, #2973)
• Tracing: Add for dynamic log injection configuration (#2992)
• Tracing: Add sampling configuration with DD_TRACE_SAMPLING_RULES (#2968)
• Tracing: Add HTTP header tagging with DD_TRACE_HEADER_TAGS for clients and servers (#2946, #2935)
• Profiling: Add fallback name/invoke location for unnamed threads started in native code (#2993)
• Profiling: Use invoke location as a fallback for nameless threads in the profiler (#2950)
• Profiling: Add fallback name for main thread in profiling data (#2939)
• Ci-app: Add Minitest CI integration (#2932)
• Appsec: Devise integration and automatic user events (#2877)
• Appsec: Handle disabled tracing and appsec events (#2572)
• Appsec: Automate user events check for UUID in safe mode (#2952)
• Docs: Add Ruby 3.2 support to compatibility matrix (#2971)

Changed

• Core: Set maximum supported Ruby version (#2497)
• Core: Prevent telemetry requests from being traced (#2961)
• Core: Add env and type to Core configuration option (#2983, #2988, #2994)
• Core: Remove lazy from Core configuration option (#2931, #2999)
• Profiling: Bump libdatadog dependency to version 3 (#2948)
• Profiling: Improve error message when ddtrace_profiling_loader fails to load (#2957)
• Tracing: Improve log injection runtime conditionals (#2926, #2882)

Fixed

• Core: Fix polynomial-time regular expressions (#2814)
• Core: Fix environment variable for dynamic configuration polling interval (#2967)
• Core: Reduce remote configuration error logging noise (#3011)
• Tracing: Fix manual log injection for 128 bit trace_id (#2974)
• Tracing: Ensure the GRPC client interceptor return the response (#2928)
• Tracing: Remove dynamic input used in regular expression (#2867)
• Tracing: Fix distributed tracing header formats (#3005 )
• Profiling: Fix profiler libmysqlclient version detection with mysql2-aurora gem (#2956)
• Profiling: Automatically enable profiler "no signals" workaround for passenger web server (#2978)

Read the full changeset and the release milestone.