Personal data logged out in the json format

[yanns]

Is your feature request related to a problem? Please describe.
When using the jons format, the spans are also logged.
In some spans, the graphql variables and document are logged:

"span": {
    "apollo_private.field_level_instrumentation_ratio":0.01,
    "apollo_private.graphql.variables":"{\"sku\":\"\"}",
    "graphql.document":"fragment ..."

Those values could log some personal data.
As far as I've checked, "apollo_private.graphql.variables" does not seem to disclose any value.
But "graphql.document" can disclose some personal data:
Ex:

{
        users(
          where:"email=\"<removed by me>\"",
        ) {

Describe the solution you'd like

• either we can remove all values
• or we can configure what can be logged. I guess this is related to Improve logging experience #1840

Describe alternatives you've considered
No real alternative. The application should not log any personal data.
.

[Geal]

which spans are affected? How is telemetry configured, especially the send_variable_values option?

[yanns]

The name of the span is "name":"supergraph".

[yanns]

We have not changed the send_variable_values, and variables seem fine.
I think that the issue is about "graphql.document" for now.

[Geal]

Ah, right. For data sent to Apollo, all the hardcoded variable values are removed, but probably not for other telemetry options.
Is it something you can fix on the client side? If queries contain hardcoded user data, then a separate query plan will have to be generated and stored for each of them, so you'll run in a lot of issues

[yanns]

Our API is used directly by all our customers.
We cannot change that.

In our current implementation, we remove all values on variables before logging the query.

[Geal]

I understand, but the query content, with variables tweaking the behaviour, is useful to investigate production issues.
We will look into what can be done here. But as I said, this is bound to create a lot more issues for you in the long run. Do you know which proportion of your users is affected?

[yanns]

I don't know the exact proportion, but it's quite important.
And the proportion is not very useful for us: we are not allowed to log any personal data.

Maybe a plugin could remove those values if they need with a middleware?

[yanns]

For me, implementing #1651 would be sufficient. Then I'd create my own json logger that would not log the query.

[abernix]

This also relates to work that is getting discussed in #3226 in terms of toggling these options on and off.

[abernix]

@yanns Do you think we could close this in favor of #3226?

[yanns]

ok for me