breaking: Use sha256 to hash lambda traceId that are triggered by Step Functions and set _dd.p.tid #534
Conversation
src/trace/step-function-service.ts
Outdated
| const res = "0" + binary.substring(1, 64); | ||
| if (res === "0".repeat(64)) { | ||
| const res = "0" + binary.substring(1, 128); | ||
| if (res === "0".repeat(128)) { |
There was a problem hiding this comment.
Here, we need to ensure that the 0th and 64th bits of the 128-bit data are both set to 0.
kimi-p
changed the title
| "arn:aws:states:sa-east-1:425362996713:stateMachine:MyStateMachine-b276uka1j#lambda#2", | ||
| _64_BITS, | ||
| ); | ||
| expect(actual).toEqual("5759173372325510050"); |
There was a problem hiding this comment.
this matches logs-backend's hash result
https://github.com/DataDog/logs-backend/pull/71616/files#diff-820e0a1dd4f0f97815ac54f993c08b3c44c67dd26a312968c214f16ab73494c0R20-R21
| "arn:aws:states:sa-east-1:425362996713:stateMachine:MyStateMachine-b276uka1j#lambda#1", | ||
| _64_BITS, | ||
| ); | ||
| expect(actual).toEqual("3711631873188331089"); |
There was a problem hiding this comment.
this matches logs-backend PR's hashing result
https://github.com/DataDog/logs-backend/pull/71616/files#diff-820e0a1dd4f0f97815ac54f993c08b3c44c67dd26a312968c214f16ab73494c0R15
src/trace/step-function-service.ts
Outdated
| if (type === TRACE_ID) { | ||
| intArray = uint8Array.subarray(8, 16); | ||
| } else { | ||
| // type === SPAN_ID || type === DD_P_TID | ||
| intArray = uint8Array.subarray(0, 8); | ||
| } |
There was a problem hiding this comment.
This section matches the logic that we put on logs-backend implementation.
kimi-p
changed the title
| "@smithy/util-middleware" "^2.2.0" | ||
| "@smithy/util-retry" "^2.2.0" | ||
| "@smithy/util-utf8" "^2.3.0" | ||
| "@aws-sdk/client-sso-oidc" "3.577.0" |
There was a problem hiding this comment.
Is it normal to have so many changes on the yarn.lock file?
There was a problem hiding this comment.
I think it's just that these are the result of not pinned packages. When I remove the lock file and regenerated, some packages have been upgraded all at once.
src/trace/step-function-service.ts
Outdated
| }); | ||
|
|
||
| const ptid = this.deterministicSha256HashToBigIntString(this.context["step_function.execution_id"], DD_P_TID); | ||
| if (ptid === "0".repeat(16)) { |
There was a problem hiding this comment.
Can you add some explanations for the condition check in Line 15?
There was a problem hiding this comment.
Good catch. I think this was coming from similar logic implemented somewhere the dd-trace-js. But since deterministicSha256HashToBigIntString will never return all zeros, we can remove the check here.
src/trace/step-function-service.ts
Outdated
| const _DatadogSpanContext = require("dd-trace/packages/dd-trace/src/opentracing/span_context"); | ||
| const id = require("dd-trace/packages/dd-trace/src/id"); | ||
|
|
||
| const spanContext = SpanContextWrapper.fromTraceContext({ | ||
| traceId, | ||
| parentId, | ||
| sampleMode, | ||
| source: TraceSource.Event, | ||
| const ddTraceContext = new _DatadogSpanContext({ | ||
| traceId: id(traceId, 10), | ||
| spanId: id(parentId, 10), | ||
| sampling: { priority: sampleMode.toString(2) }, | ||
| }); | ||
|
|
||
| const ptid = this.deterministicSha256HashToBigIntString(this.context["step_function.execution_id"], DD_P_TID); | ||
| ddTraceContext._trace.tags["_dd.p.tid"] = id(ptid, 10).toString(16); | ||
| const spanContext = new SpanContextWrapper(ddTraceContext, TraceSource.Event); | ||
|
|
There was a problem hiding this comment.
Why are we not using the current SpanContextWrapper code? Is it because we need to add the ptid?
If so, is there another way to not require dd-trace code here? Or at least, we need to lazy load it, since the tracer could be not available
There was a problem hiding this comment.
- Yes.
- Lemme try to lazy load it.
Co-authored-by: jordan gonzález <30836115+duncanista@users.noreply.github.com>
Co-authored-by: jordan gonzález <30836115+duncanista@users.noreply.github.com>
|
I have verified after these change based on the comments that the spans linking still works in staging. 
|
duncanista
changed the title
What does this PR do?
0._dd.p.tidtagtraceIdparentId(which is step function task's spanId)ts-md5package is remove.yarn add @types/node -Das suggested in this the issue Issue with TS4.9 - 'AbortSignal' was also declared here. microsoft/TypeScript#51567Motivation
To support 128 bits trace IDs and to avoid showing up in security vulnerability scans, we are upgrading the hashing method (md5) to sha256.
Testing Guidelines
41919d29ba4149cd40fcae25a0e4e323is a hash, not a number anymore.aws.lambdaspan matches theaws.stepfunctions.lambdatask span.Additional Notes
This is a breaking change that will affect all current Step Functions public beta users. And what will break is the Step Functions trace and Lambda traces linking.
Since this has to be done at some point, we want to put this change out before GA. Serverless-Integrations team will work with Sumedha and have some sort of announcement to let customers know the exact cut off time so that they can deploy their Lambda around the same time.
Referencing PR for implementing MD5
Types of Changes
Check all that apply