Merge branch 'main' into fix/blocking-strategy-deadlock

Author: bryantbiggs

.github/workflows/benchmark.yml

@@ -64,7 +64,7 @@ jobs:
     name: continuous benchmark tracking
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     # Use bare-metal runner on the upstream repo for consistent results; fall back to shared runners elsewhere
-    runs-on: ${{ github.repository == 'open-telemetry/opentelemetry-rust' && 'oracle-bare-metal-64cpu-512gb-x86-64' || 'ubuntu-latest' }}
+    runs-on: ${{ github.repository == 'open-telemetry/opentelemetry-rust' && 'oracle-bare-metal-64cpu-1024gb-x86-64-ubuntu-24' || 'ubuntu-latest' }}
     permissions:
       contents: write
     container:

opentelemetry-appender-tracing/src/layer.rs

@@ -1077,8 +1077,14 @@ mod tests {
             .with_simple_exporter(exporter.clone())
             .build();
 
-        let level_filter = tracing_subscriber::filter::LevelFilter::INFO;
-        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(level_filter);
+        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(
+            tracing_subscriber::filter::filter_fn(|meta| {
+                // Allow spans at any level (needed for on_new_span to store span attributes),
+                // but only allow ERROR events to prevent internal otel_info! events from leaking
+                // in when internal-logs feature is enabled and tests run in parallel.
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }),
+        );
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1122,8 +1128,14 @@ mod tests {
             .with_simple_exporter(exporter.clone())
             .build();
 
-        let level_filter = tracing_subscriber::filter::LevelFilter::INFO;
-        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(level_filter);
+        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(
+            tracing_subscriber::filter::filter_fn(|meta| {
+                // Allow spans at any level (needed for on_new_span to store span attributes),
+                // but only allow ERROR events to prevent internal otel_info! events from leaking
+                // in when internal-logs feature is enabled and tests run in parallel.
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }),
+        );
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1177,8 +1189,14 @@ mod tests {
             .with_simple_exporter(exporter.clone())
             .build();
 
-        let level_filter = tracing_subscriber::filter::LevelFilter::INFO;
-        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(level_filter);
+        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(
+            tracing_subscriber::filter::filter_fn(|meta| {
+                // Allow spans at any level (needed for on_new_span to store span attributes),
+                // but only allow ERROR events to prevent internal otel_info! events from leaking
+                // in when internal-logs feature is enabled and tests run in parallel.
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }),
+        );
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1283,8 +1301,14 @@ mod tests {
             .with_simple_exporter(exporter.clone())
             .build();
 
-        let level_filter = tracing_subscriber::filter::LevelFilter::INFO;
-        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(level_filter);
+        let layer = layer::OpenTelemetryTracingBridge::new(&provider).with_filter(
+            tracing_subscriber::filter::filter_fn(|meta| {
+                // Allow spans at any level (needed for on_new_span to store span attributes),
+                // but only allow ERROR events to prevent internal otel_info! events from leaking
+                // in when internal-logs feature is enabled and tests run in parallel.
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }),
+        );
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1343,7 +1367,10 @@ mod tests {
 
         let layer = layer::OpenTelemetryTracingBridge::builder(&provider)
             .with_span_attribute_allowlist(["session.id"])
-            .build();
+            .build()
+            .with_filter(tracing_subscriber::filter::filter_fn(|meta| {
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }));
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1377,7 +1404,10 @@ mod tests {
 
         let layer = layer::OpenTelemetryTracingBridge::builder(&provider)
             .with_span_attribute_allowlist(["session.id"])
-            .build();
+            .build()
+            .with_filter(tracing_subscriber::filter::filter_fn(|meta| {
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }));
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1421,7 +1451,10 @@ mod tests {
 
         let layer = layer::OpenTelemetryTracingBridge::builder(&provider)
             .with_span_attribute_allowlist(std::iter::empty::<&str>())
-            .build();
+            .build()
+            .with_filter(tracing_subscriber::filter::filter_fn(|meta| {
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }));
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 
@@ -1456,7 +1489,10 @@ mod tests {
 
         let layer = layer::OpenTelemetryTracingBridge::builder(&provider)
             .with_span_attribute_allowlist(["session.id"])
-            .build();
+            .build()
+            .with_filter(tracing_subscriber::filter::filter_fn(|meta| {
+                meta.is_span() || *meta.level() <= tracing::Level::ERROR
+            }));
         let subscriber = tracing_subscriber::registry().with(layer);
         let _guard = tracing::subscriber::set_default(subscriber);
 

opentelemetry-otlp/CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## vNext
 
+- Add `tls-provider-agnostic` feature flag for environments that require a custom crypto backend (e.g., OpenSSL for FIPS compliance). Enables TLS code paths without bundling `ring` or `aws-lc-rs`.
 - Add `build()` directly on `SpanExporterBuilder`, `MetricExporterBuilder`, and `LogExporterBuilder`
   (before selecting a transport), which auto-selects the transport based on the
   `OTEL_EXPORTER_OTLP_PROTOCOL` environment variable or enabled features.
@@ -13,6 +14,12 @@
   silently sending unencrypted traffic. When a TLS feature is enabled and an `https://` endpoint is used without
   an explicit `.with_tls_config()`, a default `ClientTlsConfig` is automatically applied.
   [#3182](https://github.com/open-telemetry/opentelemetry-rust/issues/3182)
+- Prevent auth tokens from leaking in export error messages. gRPC and HTTP
+  exporter errors no longer include potentially sensitive server responses
+  (e.g., authentication tokens echoed back). Error messages returned to SDK
+  processors contain only the gRPC status code or HTTP status code. Full
+  details are logged at DEBUG level only.
+  [#3021](https://github.com/open-telemetry/opentelemetry-rust/issues/3021)
 - Add support for `OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE` environment variable
   to configure metrics temporality. Accepted values: `cumulative` (default), `delta`,
   `lowmemory` (case-insensitive). Programmatic `.with_temporality()` overrides the env var.

opentelemetry-otlp/Cargo.toml

@@ -80,9 +80,13 @@ experimental-grpc-retry = ["grpc-tonic", "opentelemetry_sdk/experimental_async_r
 # http compression
 gzip-http = ["flate2"]
 zstd-http = ["zstd"]
-tls = ["tls-ring"] # Deprecated: use tls-ring or tls-aws-lc.
+tls = ["tls-ring"] # Deprecated: use tls-ring or tls-aws-lc or tls-provider-agnostic
 tls-ring = ["tonic/tls-ring"]
 tls-aws-lc = ["tonic/tls-aws-lc"]
+# Provider-agnostic TLS: enables TLS code paths without bundling a specific 
+# crypto provider. Use this when you install a
+# CryptoProvider globally (e.g., via rustls-openssl for FIPS/OpenSSL environments).
+tls-provider-agnostic = ["tonic/_tls-any"]
 tls-roots = ["tonic/tls-native-roots"]
 tls-webpki-roots = ["tonic/tls-webpki-roots"]
 

opentelemetry-otlp/src/exporter/http/mod.rs

@@ -490,7 +490,17 @@ impl OtlpHttpClient {
 
         // Send request
         let response = client.send_bytes(request).await.map_err(|e| {
-            HttpExportError::new(0, format!("Network error: {e:?}")) // Network error
+            // Connection errors (e.g., "Connection refused", DNS failures) typically
+            // indicate user-side misconfigurations and don't contain sensitive data.
+            // We don't log at WARN here because SDK processors (BatchLogProcessor,
+            // BatchSpanProcessor, PeriodicReader) already log the returned error
+            // via otel_error!.
+            otel_debug!(
+                name: "HttpClient.NetworkError",
+                url = request_uri.as_str(),
+                error = format!("{e}")
+            );
+            HttpExportError::new(0, "HTTP export failed: network error".to_string())
         })?;
 
         let status_code = response.status().as_u16();
@@ -501,12 +511,18 @@ impl OtlpHttpClient {
             .map(|s| s.to_string());
 
         if !response.status().is_success() {
-            let message = format!(
-                "HTTP export failed. Url: {}, Status: {}, Response: {:?}",
-                request_uri,
-                status_code,
-                response.body()
+            // We don't log at WARN here because SDK processors (BatchLogProcessor,
+            // BatchSpanProcessor, PeriodicReader) already log the returned error
+            // via otel_error!. Response body may contain sensitive information
+            // (e.g., auth tokens echoed back by the server), so log it at DEBUG
+            // level only.
+            otel_debug!(
+                name: "HttpClient.StatusError",
+                status_code = status_code,
+                url = request_uri.as_str(),
+                response_body = format!("{:?}", response.body())
             );
+            let message = format!("HTTP export failed with status code: {status_code}");
             return Err(match retry_after {
                 Some(retry_after) => {
                     HttpExportError::with_retry_after(status_code, retry_after, message)

opentelemetry-otlp/src/exporter/tonic/logs.rs

@@ -94,8 +94,7 @@ impl LogExporter for TonicLogsClient {
                                 .interceptor
                                 .call(Request::new(()))
                                 .map_err(|e| {
-                                    // Convert interceptor errors to tonic::Status for retry classification
-                                    tonic::Status::internal(format!("interceptor error: {e:?}"))
+                                    super::handle_interceptor_error!("TonicLogsClient", e)
                                 })?
                                 .into_parts();
                             Ok((inner.client.clone(), m, e))
@@ -137,9 +136,9 @@ impl LogExporter for TonicLogsClient {
         .await
         {
             Ok(_) => Ok(()),
-            Err(tonic_status) => Err(OTelSdkError::InternalFailure(format!(
-                "export error: {tonic_status:?}"
-            ))),
+            Err(tonic_status) => {
+                super::handle_tonic_export_error!("TonicLogsClient", tonic_status)
+            }
         }
     }
 

opentelemetry-otlp/src/exporter/tonic/metrics.rs

@@ -85,9 +85,7 @@ impl MetricsClient for TonicMetricsClient {
                                 .interceptor
                                 .call(Request::new(()))
                                 .map_err(|e| {
-                                    tonic::Status::internal(format!(
-                                        "unexpected status while exporting {e:?}"
-                                    ))
+                                    super::handle_interceptor_error!("TonicMetricsClient", e)
                                 })?
                                 .into_parts();
                             Ok((inner.client.clone(), m, e))
@@ -127,9 +125,9 @@ impl MetricsClient for TonicMetricsClient {
         .await
         {
             Ok(_) => Ok(()),
-            Err(tonic_status) => Err(OTelSdkError::InternalFailure(format!(
-                "export error: {tonic_status:?}"
-            ))),
+            Err(tonic_status) => {
+                super::handle_tonic_export_error!("TonicMetricsClient", tonic_status)
+            }
         }
     }