feat(spans): initial MongoDB description scrubbing support

[mjq]

We would like to support MongoDB queries in the Queries insight module (which is currently SQL-only).

Metrics will be shown on the Queries insights page when they fulfill the query has:span.description span.module:db. Without the changes in this PR, MongoDB spans would either lack a span.description or span.module so they were hidden from the module.

In addition, to fully support the Queries page, the span.action and span.domain tags are also required. Without this PR, MongoDB spans' span.action was being set if it was present as db.operation in span data, but span.domain was not set.

This PR:

• Allows MongoDB spans to be tagged with span.module: db
• Adds MongoDB query scrubbing and writes the scrubbed query to span.description, conditional on the organizations:performance-queries-mongodb-extraction feature flag (added here)
• Writes the collection name to span.domain for MongoDB spans

Because the new query scrubbing is behind a feature flag, orgs without it will continue to have no span.description and therefore continue to not show up in the Queries module.

The short-term plan is to turn this on for a single test org to iterate on the frontend experience, and also begin to test the cardinality of the query scrubbing.

The scrubbing keeps the operation/collection key/value pair but otherwise replaces leaf values in the query JSON with "?". This might need to be tuned further if there are cases where people are likely to use high-cardinality keys.

Valid MongoDB spans must:

• contain a JSON-encoded query in their description
• have a db.system of "mongodb"
• have either db.collection.name or db.mongodb.collection set
• have db.operation set

Our JavaScript v8 SDK fulfills these criteria for MongoDB spans, and I believe the latest Python does too (but haven't personally checked).

[mjq]

Because this value has to get passed through so many different functions, it seemed clearer to use an explicit enum argument instead of a dangling boolean for the arguments.

[Dav1dde]

Does this feature make sense the way it is right now?

It seems like mongodb is unconditionally enabled with this PR only the scrubbing is conditional. For me this seems like we should have a feature flag to enable/disable mongodb alltogether not just the scrubbing which is supposed to help us with cardinality.

[mjq]

Here's my understanding.

There are two places that Relay currently special-cases MongoDB. The first is disabled databases.

relay/relay-dynamic-config/src/defaults.rs

Lines 11 to 17 in 70c15da

	const DISABLED_DATABASES: &[&str] = &[
	"*clickhouse*",
	"*compile*",
	"*mongodb*",
	"*redis*",
	"db.orm",
	];

relay/relay-dynamic-config/src/defaults.rs

Lines 123 to 126 in 70c15da

	let is_db = RuleCondition::eq("span.sentry_tags.category", "db")
	& !(RuleCondition::eq("span.system", "mongodb")
	| RuleCondition::glob("span.op", DISABLED_DATABASES)
	| RuleCondition::glob("span.description", MONGODB_QUERIES));

is_db is used to control the presence of certain metrics and tags in hardcoded_span_metrics.

This PR removes that check, which means we will produce more metrics. However, note that:

• a number of SDKs (including v8 of the JS SDK) don't actually have mongodb as part of the span op, and were never subject to this check
• high cardinality of the resulting metrics comes from the span.description tag, which is protected against separately (see following)

The second existing special case is in the span description scrubbing.

relay/relay-event-normalization/src/normalize/span/description/mod.rs

Lines 63 to 70 in 70c15da

	("db", sub) => {
	if sub.contains("clickhouse")
	|| sub.contains("mongodb")
	|| sub.contains("redis")
	|| is_legacy_activerecord(sub, db_system)
	|| is_sql_mongodb(description, db_system)
	{
	None

We check again for mongodb in the op (which as I mentioned, is often already bypassed), but the is_sql_mongodb function catches them all at this point by checking for a db.system of mongodb or JSON-looking description. This is the handling we fall through to when the feature is off.

---

So:

• This PR will change the situation from "some MongoDB spans are counted as is_db" to "all MongoDB spans are counted as is_db", but
• There will be no increase in cardinality, as all MongoDB span descriptions will continue to be None in cases where the flag is not set.

In an ideal world, I would have kept the behaviour exactly the same and only conditionally changed DISABLED_DATABASES. But, looking at how hardcoded_span_metrics, I can't see any way to get feature flags down to it. So I reasoned that the outcomes above were probably acceptable, but I could definitely be wrong! Please let me know what you think. Thanks so much 🙏

[Dav1dde]

a number of SDKs (including v8 of the JS SDK) don't actually have mongodb as part of the span op, and were never subject to this check

I'd be worried about the Otel integrations here, not the SDKs necessarily.

high cardinality of the resulting metrics comes from the span.description tag, which is protected against separately (see following)

If we have some confidence in the scrubbing (which seems pretty sound to me, we can even start with a lower 'recursion limit'), I'd not use the feature flag at all. You will only find the outliers after it's too late anyways. And the feature flag just adds more conditionals and boilerplate while only toggling scrubbing not the full extraction.
That's the same approach that was taken for Redis.

[mjq]

Thanks for the review @Dav1dde! I appreciate the corrections to my first Rust. I think I addressed all your lower level comments, and left a longer explanation for the high level concern re: the feature flag if you get a chance to check that out. Thanks again! 🙏

[Dav1dde]

@mjq I took the liberty to update the scrubbing code to be clone free and mutate only in place.

Few things:

• for_each: is not almost a code smell and can just be expressed with a for
• collections have a bunch of utility methods, like values_mut which gives you mutable access to only the values/what you need, this also allows you to modify in place
• you can match on the mutable Value's and modify them in place as well, no need to create new values, just pass &mut references into the visitor
• there is a small optimization when you already have a Value::String we don't need to allocate a new string, we can clear the string and push a ? into it, this saves an allocation
• You can early return with the questionmark ? operator if the function returns Result or Option (used on serde_json::from_str)
• There is an additional optimization we could take, that is not actually parsing the json into a proper data structure, but just visiting and creating a new json immediately (SAX like), the other optimization would be to not parse String's we could just borrow from the original description (since we later re-serialize anyways), but that requires our own Value enum, so decided not to do it for simplicity reasons.

Do you think a depth/recursion limit of 3 is enough? Having no experience with mongodb it does feel quite small.

[Dav1dde]

As noted I'd consider dropping the feature flag all together, especially since you expect almost no mongodb data in the first place. Just removes a few more conditionals and overhead. Up to you.

Conditionally changing is_db would be preferrable and possible, but that requires some deeper changes in Relay we can always do later and I don't want to block you on this.

[Dav1dde]

a number of SDKs (including v8 of the JS SDK) don't actually have mongodb as part of the span op, and were never subject to this check

I'd be worried about the Otel integrations here, not the SDKs necessarily.

high cardinality of the resulting metrics comes from the span.description tag, which is protected against separately (see following)

If we have some confidence in the scrubbing (which seems pretty sound to me, we can even start with a lower 'recursion limit'), I'd not use the feature flag at all. You will only find the outliers after it's too late anyways. And the feature flag just adds more conditionals and boilerplate while only toggling scrubbing not the full extraction.
That's the same approach that was taken for Redis.

Stale

[mjq]

@Dav1dde Thanks for the review (and the help with the in-place data transformations!). With hack week over, I'd like to get this merged. I've re-merged master to get a new test run.

Even though I'm confident in the scrubbing, personally I would feel better about having the feature flag for the initial release. I can loop back and remove it within a day or two afterwards once we're sure things are looking okay. How does that sound?

Do you think a depth/recursion limit of 3 is enough? Having no experience with mongodb it does feel quite small.

My thinking was to start conservative and expand it if we find we need it in real use.

[mjq]

@jjbayer added you as a reviewer (along with a re-request to @Dav1dde) if you wouldn't mind helping, since we're blocked on this now. Thanks!

[jjbayer]

See comment about scrubbing collection names. The rest of the PR looks good to me!

[jjbayer]

nit:

Suggested change

	ScrubMongoDBDescriptions,
	ScrubMongoDbDescriptions,

https://rust-lang.github.io/api-guidelines/naming.html#:~:text=In%20UpperCamelCase%2C%20acronyms%20and%20contractions%20of%20compound%20words%20count%20as%20one%20word%3A%20use%20Uuid%20rather%20than%20UUID

[jjbayer]

Took me a while to parse this condition, might benefit from a comment along the lines of "we disallow mongodb, unless span.system is set to mongodb".

[jjbayer]

You can derive the Copy trait on ScrubMongoDescription to make the .clone() unnecessary.

[jjbayer]

Suggested change

	#[derive(PartialEq, Clone, Debug)]
	#[derive(PartialEq, Clone, Copy, Debug)]

[jjbayer]

Suggested change

	command.zip(collection).and_then(|(command, collection)| {
	if let (Some(command), Some(collection)) = (command, collection) {

[jjbayer]

nit: query might not parse into a valid object, so I would pass &str into this function and only convert command and collection to String in this line.

[jjbayer]

Suggested change

	"{\"find\": \"documents\", \"showRecordId\": true}",
	r#"{"find": "documents", "showRecordId": true}"#,

etc,

[jjbayer]

With SQL, we learned the hard way that collections / tables can contain all kinds of identifiers (see test cases here). IMO we should pass the mongodb collection name through the same scrubbing as SQL table names to catch those identifers, i.e. apply the TABLE_NAME_REGEX.

[mjq]

@jjbayer Thanks so much for the thorough review 🙏 I've made all of your suggested changes. Please take a look at the collection name scrubbing changes in particular. I've applied it both places the collection is used in a tag (the description and the domain) since either could affect metric cardinality. To reuse the TABLE_NAME_REGEX I moved it up to the closest ancestor crate of all its users - if you have any suggestions for a better spot for it (or a better design) please let me know.

Thanks again!

[jjbayer]

nit: I think this is the same

Suggested change

	let scrubbed_collection_name =
	if let Cow::Owned(s) = TABLE_NAME_REGEX.replace_all(collection, "{%s}") {
	s
	} else {
	collection.to_owned()
	};
	let scrubbed_collection_name = TABLE_NAME_REGEX.replace_all(collection, "{%s}").to_owned();

[mjq]

The above returns the type error:

   --> relay-event-normalization/src/normalize/span/description/mod.rs:575:51
    |
575 |     root.insert(command.to_owned(), Value::String(scrubbed_collection_name));
    |                                     ------------- ^^^^^^^^^^^^^^^^^^^^^^^^- help: try using a conversion method: `.to_string()`
    |                                     |             |
    |                                     |             expected `String`, found `Cow<'_, str>`
    |                                     arguments to this enum variant are incorrect
    |
    = note: expected struct `std::string::String`
                 found enum `std::borrow::Cow<'_, str>`

But

let scrubbed_collection_name = TABLE_NAME_REGEX.replace_all(collection, "{%s}").to_string();

compiles, if that seems reasonable?

Either way I'm going to merge without this change just in case, and loop back afterwards.

[jjbayer]

Yep, that works!

[jjbayer]

Same comment about to_owned.

It's a bit unfortunate that we scrub the collection name again here, but that's a basic flaw of extract_tags (it works on each tag separately instead of collecting all tags for a given span type at once).