FHIR Chat · TraceID's · Security and Privacy

Stream: Security and Privacy

Topic: TraceID's

Jens Villadsen (Aug 16 2019 at 09:32):

Where does request trace ID's (eg. Jaeger trace Id's) fit in to the AuditEvent ressource?

John Moehrke (Aug 16 2019 at 13:39):

I don't know what that is. can you explain it a bit?

David Pyke (Aug 16 2019 at 13:44):

https://www.jaegertracing.io/docs/1.7/architecture/

John Moehrke (Aug 16 2019 at 14:22):

okay, then if I understand this correctly; this is an id of a system pathway through some tasks. Thus it is clearly not an agent, as it is not representing something that is acting. Thus the only other place for it to go is as a .entity. In IHE we often will put SOAP message id in as an identity. It seems this is similar, except it represents internal processing. Right?

John Moehrke (Aug 16 2019 at 14:23):

if that is right, then we can work at the next level of detail... how to fill out an entity such that the audit analysis understands it... If I am wrong, then I need to understand it better

John Moehrke (Aug 16 2019 at 14:26):

would like to see us build an example that ends up in the fhir core spec...

John Moehrke (Aug 16 2019 at 14:28):

what does a trace id look like? @Jens Villadsen do you have an example of a trace id that you could share?

Jens Villadsen (Aug 19 2019 at 11:01):

@John Moehrke see https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers#x-b3-traceid and https://github.com/openzipkin/b3-propagation#traceid-2

Jens Villadsen (Aug 19 2019 at 11:01):

64 or 128 bit id

Jens Villadsen (Aug 19 2019 at 11:02):

An Identifier on AuditEvent would be sufficient

Jens Villadsen (Aug 19 2019 at 11:03):

anyone in a cloud native environment should have similar needs, I imagine

John Moehrke (Aug 19 2019 at 12:02):

@Jens Villadsen would you agree that can be put into a .entity.who.identifier, with entity.type of 'system object', .entity.role as 'job stream'. Right?

John Moehrke (Aug 19 2019 at 12:06):

I was asking about the format of the trace ID to determine if it was distinguishable. Might be useful to have an .entity.role value that is more specific to this kind of ID? I picked job stream because it seemed similar

Jens Villadsen (Aug 19 2019 at 12:23):

Is there a entity.who? I can see a entity.what - not an entity.who.

Jens Villadsen (Aug 19 2019 at 12:23):

pasted image

Jens Villadsen (Aug 19 2019 at 12:23):

@John Moehrke

Jens Villadsen (Aug 19 2019 at 20:22):

What do you mean by job stream?

Jens Villadsen (Aug 20 2019 at 06:59):

example: X-B3-TraceId: 80f198ee56343ba864fe8b2a57d3eff7

Jens Villadsen (Aug 21 2019 at 13:57):

@John Moehrke any comments?

John Moehrke (Aug 22 2019 at 13:34):

sorry for the delay. Yes, ,entity.what

John Moehrke (Aug 22 2019 at 13:35):

I mean "Job Stream" as in http://build.fhir.org/codesystem-object-role.html#object-role-21

Jens Villadsen (Aug 29 2019 at 07:42):

@John Moehrke should this use be examplified in the spec?

Jens Villadsen (Aug 29 2019 at 07:42):

in order to streamline use or just to have a suggestion for others that would have the same need?

John Moehrke (Aug 29 2019 at 12:25):

I think minimally we should add an example specific to trace ID... so, lets build that example with enough narrative to explain what we had to in this thread

John Moehrke (Aug 29 2019 at 12:27):

I don't think trace id is common enough to add to the front page of AuditEvent.

Jens Villadsen (Nov 20 2019 at 15:52):

I would say jaeger tracing is pretty common judged by the amount of stars on the https://github.com/jaegertracing/jaeger has received?

John Moehrke (Nov 20 2019 at 16:27):

can we start with an example audit message that include the trace id?

Jens Villadsen (Apr 22 2020 at 10:01):

@John Moehrke - here you are ;)

{
   "resourceType":"AuditEvent",
   "type":{
      "system":"http://hl7.org/fhir/audit-event-type",
      "code":"rest",
      "display":"RESTful Operation"
   },
   "subtype":[
      {
         "system":"http://hl7.org/fhir/restful-interaction",
         "code":"$createPatient"
      }
   ],
   "action":"E",
   "recorded":"2019-12-04T11:59:28.646+00:00",
   "outcome":"0",
   "outcomeDesc":"Patient",
   "agent":[
      {
         "extension":[
            {
               "url":"http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-responsibleOrganization",
               "valueReference":{
                  "reference":"http://organization.inttest.ehealth.sundhed.dk/fhir/Organization/10357"
               }
            }
         ],
         "userId":{
            "system":"http://ehealth.sundhed.dk",
            "value":"http://organization.inttest.ehealth.sundhed.dk/fhir/Practitioner/143473"
         },
         "requestor":true
      }
   ],
   "source":{
      "identifier":{
         "value":"http://ehealth.sundhed.dk"
      },
      "type":[
         {
            "system":"http://hl7.org/fhir/security-source-type",
            "code":"4"
         }
      ]
   },
   "entity":[
      {
         "reference":{
            "reference":"http://patient.inttest.ehealth.sundhed.dk/fhir/Patient/852"
         },
         "role":{
            "system":"http://hl7.org/fhir/object-role",
            "code":"1"
         }
      },
      {
         "identifier":{
            "system":"http://ehealth.sundhed.dk",
            "value":"6b507ee2d716780372c255df69ece653"
         },
         "type":{
            "system":"http://hl7.org/fhir/security-source-type",
            "code":"2",
            "display":"Data Interface"
         },
         "role":{
            "system":"http://hl7.org/fhir/object-role",
            "code":"21",
            "display":"Job Stream"
         }
      }
   ]
}

John Moehrke (Apr 22 2020 at 12:39):

can you create a change proposal with this recommendation and this example?

Jens Villadsen (Apr 22 2020 at 13:21):

sure

Jens Villadsen (Apr 22 2020 at 13:47):

https://jira.hl7.org/browse/FHIR-26923

John Moehrke (Apr 22 2020 at 13:59):

thanks... but note that we really do need the jira tickets to stand on their own. They can reference a zulip chat for emphsys, but they must include the problem and solution within jira. I will manage with this one

Jens Villadsen (Apr 22 2020 at 13:59):

thx

John Moehrke (Apr 27 2020 at 13:49):

In working on this CR for preparation for vote. It is not clear to me if this need is satisfied with a well formed example, or if something needs to change on the core AuditEvent page. If so, where and what should be said? I am really looking for exact text. J#26923

Bernard Stibbe (Dec 08 2021 at 11:08):

Why is there no identifier element available in the AuditEvent so that we can identifiy an unique AuditEvent resource instance, by using e.g the b3-propagation headers as identifiers. See: https://github.com/openzipkin/b3-propagation?

John Moehrke (Dec 08 2021 at 11:52):

There is an .id. so one can refer to an instance of AuditEvent. there is just not a business .identifier. There is no use-case that has been brought to us where there are equal objects that have a business identifier.
TraceID was discussed as appropriate to record in an .entity -- See the example in the current fhir build - http://build.fhir.org/audit-event-example-create-traceID.html

Grahame Grieve (Dec 08 2021 at 19:55):

a number of servers are using 'X-Request-Id' for this

Grahame Grieve (Dec 08 2021 at 19:56):

see https://hl7.org/fhir/http.html#custom

John Moehrke (Dec 08 2021 at 19:59):

not clear on what you are stating. Yes the X-Request-ID could/should be recorded as an .entity to help coorelated AuditEvents that happened as a result of a http transaction. Is this what you are mentioning?

John Moehrke (Dec 08 2021 at 20:03):

I will add X-Request-Id to my BasicAudit IG. (TraceID is not as clear to me)

Grahame Grieve (Dec 08 2021 at 20:07):

well, we're using that in the http headers, and it would make sense to put that id in the AuditEvent - I'm putting it in AuditEvent.entity. I'll have to review that

John Moehrke (Dec 08 2021 at 20:10):

okay. i thought you were indicating that the x-request-id was being used as if it was a AuditEvent.identifier.

John Moehrke (Dec 08 2021 at 20:12):

putting it in a .entity seems logical to me. How that .entity is decorated so that it is understood is not as clear to me. So I would be happy to replicate what you have already implemented.

Grahame Grieve (Dec 08 2021 at 20:22):

  <entity>
    <type>
      <code value="X-Request-Id"/>
    </type>
    <what>
     <identifier>
     <value value="{X-request-id}"/>
     </identifier>
   </what>
  </entity>

Grahame Grieve (Dec 08 2021 at 20:22):

I cannot say that I'm happy with that, but I don't know what to put for the system

John Moehrke (Dec 08 2021 at 21:04):

I can define a code in my IG.

Grahame Grieve (Dec 08 2021 at 21:06):

I'll use it

Jens Villadsen (Dec 11 2021 at 14:21):

x-request-id is just one of many identifiers. See eg. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers

Jens Villadsen (Dec 11 2021 at 14:23):

@John Moehrke I still think Identifiers are needed on the AuditEvent

John Moehrke (Dec 11 2021 at 14:37):

Those are transaction identifiers.

Jens Villadsen (Dec 11 2021 at 15:36):

So ... to some extent yes. But they could also be considered business identifiers ... depending on your definition on transaction in a distributed asynchronous system.

Jens Villadsen (Dec 11 2021 at 15:37):

@John Moehrke Don't you think they should be included into the AuditEvent?

John Moehrke (Dec 11 2021 at 16:33):

Yes, as entity.what.identifier. see my IG

Last updated: Apr 12 2022 at 19:14 UTC