open-telemetry · heyams · Oct 7, 2024 · Oct 7, 2024 · Oct 7, 2024 · Oct 7, 2024
diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_authentication_enduser_subnamespace.yaml
@@ -0,0 +1,25 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: enduser
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: introduce subnamespace `enduser.authentication` with new attributes `enduser.authentication.id`, `enduser.authentication.role`, and `enduser.authentication.scope`.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [1104]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  The `enduser.authentication` subnamespace is intended to describe the authentication information of the end user.
+  The new attributes are intended to provide information about the authenticated user in the system,
+  the role the client is making the request under, and the scopes or granted authorities the client currently possesses.
@@ -23,6 +23,7 @@ body:
         - area:android
         - area:artifact
         - area:aspnetcore
+        - area:authentication
         - area:aws
         - area:azure
         - area:browser
@@ -41,6 +42,7 @@ body:
         - area:disk
         - area:dns
         - area:dotnet
+        - area:enduser
         - area:error
         - area:event
         - area:exception

@@ -15,6 +15,7 @@ body:
         - area:android
         - area:artifact
         - area:aspnetcore
+        - area:authentication
         - area:aws
         - area:azure
         - area:browser
@@ -33,6 +34,7 @@ body:
         - area:disk
         - area:dns
         - area:dotnet
+        - area:enduser
         - area:error
         - area:event
         - area:exception

@@ -24,6 +24,7 @@ body:
         - area:android
         - area:artifact
         - area:aspnetcore
+        - area:authentication
         - area:aws
         - area:azure
         - area:browser
@@ -42,6 +43,7 @@ body:
         - area:disk
         - area:dns
         - area:dotnet
+        - area:enduser
         - area:error
         - area:event
         - area:exception

diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md
@@ -34,6 +34,7 @@ Currently, the following namespaces exist:
 - [Android](android.md)
 - [Artifact](artifact.md)
 - [Aspnetcore](aspnetcore.md)
+- [Authentication](authentication.md)
 - [AWS](aws.md)
 - [Azure](azure.md)
 - [Browser](browser.md)

diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md
@@ -0,0 +1,15 @@
+<!--- Hugo front matter used to generate the website version of this page:
+--->
+
+<!-- NOTE: THIS FILE IS AUTOGENERATED. DO NOT EDIT BY HAND. -->
+<!-- see templates/registry/markdown/attribute_namespace.md.j2 -->
+
+# Authentication
+
+## Authentication Attributes
+
+"Describes the authentication information of an authenticated user."
+
+| Attribute           | Type   | Description                                               | Examples                                           | Stability                                                        |
+| ------------------- | ------ | --------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- |
+| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
@@ -6,12 +6,13 @@
 
 # Enduser
 
-## Deprecated End User Attributes
+## End User Attributes
 
-Describes deprecated enduser attributes. Complete enduser namespace has been deprecated
+Describes information about the end user, which can be used as a subdomain of browser, client, or user domains.
 
-| Attribute       | Type   | Description                              | Examples                    | Stability                                                                                          |
-| --------------- | ------ | ---------------------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------- |
-| `enduser.id`    | string | Deprecated, use `user.id` instead.       | `username`                  | ![Deprecated](https://img.shields.io/badge/-deprecated-red)<br>Replaced by `user.id` attribute.    |
-| `enduser.role`  | string | Deprecated, use `user.roles` instead.    | `admin`                     | ![Deprecated](https://img.shields.io/badge/-deprecated-red)<br>Replaced by `user.roles` attribute. |
-| `enduser.scope` | string | Deprecated, no replacement at this time. | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)<br>Removed.                            |
+| Attribute           | Type   | Description                                                                                                                                                                                                                                                                                                                                                                             | Examples                                           | Stability                                                        |
+| ------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- |
+| `authentication.id` | string | Unique identifier of an authenticated user in the system.                                                                                                                                                                                                                                                                                                                               | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `enduser.id`        | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system.                                                                                                                                                                                                    | `QdH5CAWJgqVT4rOr0qtumf`                           | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `enduser.role`      | string | Actual/assumed role the client is making the request under extracted from token or application security context.                                                                                                                                                                                                                                                                        | `admin`                                            | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `enduser.scope`     | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files`                        | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml
@@ -0,0 +1,13 @@
+groups:
+  - id: registry.authentication
+    type: attribute_group
+    display_name: Authentication Attributes
+    stability: experimental
+    brief: >
+      "Describes the authentication information of an authenticated user."
+    attributes:
+      - id: authentication.id
+        type: string
+        brief: "Unique identifier of an authenticated user in the system."
+        examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ]
+        stability: experimental
@@ -0,0 +1,32 @@
+groups:
+  - id: registry.enduser
+    type: attribute_group
+    display_name: End User Attributes
+    brief: >
+      Describes information about the end user, which can be used as a subdomain of browser, client, or user domains.
-      Describes information about the end user, which can be used as a subdomain of browser, client, or user domains.
+      Describes the end user.
-      Describes information about the end user, which can be used as a subdomain of browser, client, or user domains.
+      Describes the end user.
+    attributes:
+      - id: enduser.id
 messaging.consumer_id: messaging.consumer.id 
 messaging.consumer_id: messaging.consumer.id 
+        type: string
+        stability: experimental
-        stability: experimental
+        stability: development 
-        stability: experimental
+        stability: development 
+        brief: >
+          Identifier of an end user who interacts with a system.
+          This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system.
+        examples: ['QdH5CAWJgqVT4rOr0qtumf']
+      - id: enduser.role
+        type: string
+        stability: experimental
+        brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
+        examples: 'admin'
+      - id: enduser.scope
+        type: string
+        stability: experimental
+        brief: >
+          Scopes or granted authorities the client currently possesses extracted from token
+          or application security context. The value would come from the scope associated
+          with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
+          or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
+        examples: 'read:message, write:files'
+      - ref: authentication.id
+        stability: experimental
+        requirement_level:
+          conditionally_required: if and only if the end user is authenticated.