Skip to content

Update GraphQL Recommended vs Opt-In requirements #3118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Update GraphQL Recommended vs Opt-In requirements #3118

wants to merge 1 commit into from
+31 −5

Conversation

@abernix
Copy link

@abernix abernix commented Nov 24, 2025
edited
Loading

Fixes #2985

Changes

Changes the firmness for graphql.document from Recommended to Opt-In.

Context

The graphql.document is user-inputted, often contains sensitive information, is potentially unbounded in length and is also high-cardinality in the same way as the existing graphql.operation.name (which is already warned about).

Put another way, graphql.document is a general liability to have listed as Recommended without serious infrastructure considerations and needs. This makes it a better candidate for being an Opt-In attribute. In our customer adoption of OpenTelemetry and GraphQL, we've found GraphQL customers following this configuration/instruction purely based on its naming in this (still, experimental) specification and not understanding the implications (or just not thinking them through).

In most all cases, the lesser liability of graphql.operation.name (The actual operation name) is sufficient, as in many GraphQL deployments there is a link between the two which can be correlated out of band (e.g., client code-bases, operation manifests, etc.). While the operation name isn't without its risk, but it's more likely to be dozens of bytes of a limited character set rather than dozens, hundreds or potentially thousands of kilobytes. In that regard, it's reasonable that graphql.operation.name be left as Recommended for user experience (though the argument could easily be made that it should also be Opt-In).

Merge requirement checklist

  • CONTRIBUTING.md guidelines followed.
  • Change log entry added, according to the guidelines in When to add a changelog entry.
    • If your PR does not need a change log, start the PR title with [chore]
  • Links to the prototypes or existing instrumentations (when adding or changing conventions)

@abernix abernix requested review from a team as code owners November 24, 2025 12:19
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Nov 24, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: abernix / name: Jesse Rosenberger (05695a8)

@abernix abernix marked this pull request as draft November 24, 2025 12:48
@joaopgrassi
Copy link
Member

joaopgrassi commented Nov 24, 2025
edited
Loading

Note you will have to change the model file, and then generate the update commands. The markdown is not to be modified manually.

Also, consider adding a note to the opt_in explaining the rationaly. See an example here:

semantic-conventions/model/http/spans.yaml

Line 130 in 2e68756

requirement_level: opt_in

@abernix abernix force-pushed the abernix/graphql-spec-requirements branch from 9b4c12a to 05695a8 Compare November 24, 2025 14:30
@github-actions
Copy link

github-actions bot commented Nov 24, 2025

This PR contains changes to area(s) that do not have an active SIG/project and will be auto-closed:

  • graphql

Such changes may be rejected or put on hold until a new SIG/project is established.

Please refer to the Semantic Convention Areas
document to see the current active SIGs and also to learn how to kick start a new one.

@github-actions github-actions bot closed this Nov 24, 2025
@abernix
Copy link
Author

abernix commented Nov 24, 2025

Note you will have to change the model file, and then generate the update commands. The markdown is not to be modified manually.

Thanks! And sorry, I realized that just after I opened it and shortly after I signed the CLA, which was the first thing I wanted to tackle.

I'm not sure why this PR was just auto-closed though — do you have suggestions on that @joaopgrassi ?

@abernix
Copy link
Author

abernix commented Nov 27, 2025
edited
Loading

@joaopgrassi It looks like some relatively new automation auto-closed this, so ping again on the above if you get a chance. I guess this needs triage:accepted:ready if you're willing to do that for this change. I recognize that would be outside of a SIG group's coverage if i'm understanding the state of graphql right now. I can see what it would look like to spin up that group, but would also prefer to decouple it from this change if at all possible! :)

@github-actions
Copy link

github-actions bot commented Nov 27, 2025

This PR contains changes to area(s) that do not have an active SIG/project and will be auto-closed:

  • graphql

Such changes may be rejected or put on hold until a new SIG/project is established.

Please refer to the Semantic Convention Areas
document to see the current active SIGs and also to learn how to kick start a new one.

1 similar comment
@github-actions
Copy link

github-actions bot commented Nov 27, 2025

This PR contains changes to area(s) that do not have an active SIG/project and will be auto-closed:

  • graphql

Such changes may be rejected or put on hold until a new SIG/project is established.

Please refer to the Semantic Convention Areas
document to see the current active SIGs and also to learn how to kick start a new one.

@joaopgrassi joaopgrassi reopened this Nov 28, 2025
joaopgrassi
joaopgrassi reviewed Nov 28, 2025
View reviewed changes
.chloggen/abernix_graphql-spec-requirements.yaml
# your pull request title with [chore] or use the "Skip Changelog" label.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement
Copy link
Member

@joaopgrassi joaopgrassi Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
change_type: enhancement
change_type: breaking

Right? because now it won't be recorded by default anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joaopgrassi joaopgrassi joaopgrassi left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area:graphql enhancement New feature or request triage:accepted:ready

Projects

Semantic Conventions Triage
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GraphQL: "Recommended" for graphql.document is better as "Opt-In"

2 participants

@abernix @joaopgrassi