Introduce data attribute group for governance and security (#3088)

Author: Ayushi Asthana

.chloggen/add-data-attributes.yaml

@@ -0,0 +1,7 @@
+change_type: "enhancement"
+component: "data"
+note: "Introduce `data.category` and `data.sensitivity` attributes to support data governance and security use cases."
+issues: [0] # Placeholder PR number
+subtext: |
+  These attributes allow for classifying data based on its semantic nature and sensitivity level,
+  enabling automated security workflows, compliance mapping, and improved observability of sensitive data.

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -39,6 +39,7 @@ body:
         - area:container
         - area:cpu
         - area:cpython
+        - area:data
         - area:db
         - area:deployment
         - area:destination

.github/ISSUE_TEMPLATE/change_proposal.yaml

@@ -31,6 +31,7 @@ body:
         - area:container
         - area:cpu
         - area:cpython
+        - area:data
         - area:db
         - area:deployment
         - area:destination

.github/ISSUE_TEMPLATE/new-conventions.yaml

@@ -42,6 +42,7 @@ body:
         - area:container
         - area:cpu
         - area:cpython
+        - area:data
         - area:db
         - area:deployment
         - area:destination

docs/non-normative/README.md

@@ -6,3 +6,5 @@ linkTitle: Non-normative
 
 The pages in this section are **non-normative**, most are supplementary
 guidelines.
+
+- [Data Attributes - Usage and Examples](data-attributes.md)

docs/non-normative/data-attributes.md

@@ -0,0 +1,69 @@
+# Data Attributes - Usage and Examples
+
+This document provides additional context and examples for the `data` attribute group.
+
+## Overview
+
+Traditional observability focuses on the health of the "vessel" (service, container, database). This specification introduces the Data Attribute Group, which focuses on the "cargo." By tagging resources and spans with data-specific metadata, we enable:
+
+* **Automated Retention**: Systems can dynamically set snapshot lifetimes based on `data.category`.
+* **Security Guardrails**: Monitoring for sensitive data movement across trust boundaries.
+* **Compliance Mapping**: Real-time visibility into which services handle GDPR, HIPAA, or PCI-DSS governed data.
+
+## Example Configurations
+
+### 1. Kubernetes Resource Metadata
+
+Infrastructure components like PersistentVolumeClaims (PVCs) act as the source of truth for the data sensitivity level.
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: customer-data-pvc
+  labels:
+    # Defining the sensitivity of the "cargo" at rest
+    data-classification: "restricted"
+    data-category: "pii"
+    compliance-scope: "gdpr"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+```
+
+### 2. OpenTelemetry Resource Attributes
+
+When a service starts, it can be configured to broadcast its data handling capabilities or the sensitivity of its primary datastore via environment variables.
+
+```bash
+# Broadly tagging the service resource in the collection pipeline
+export OTEL_RESOURCE_ATTRIBUTES="data.sensitivity=restricted,data.category=financial"
+```
+
+### 3. Programmatic Context Transfer (Pseudo-code)
+
+To propagate sensitivity across a pipeline, a service injects the attribute into the Baggage, which is then carried in the headers of all downstream RPC calls.
+
+```python
+from opentelemetry import baggage, context
+
+# 1. Extract sensitivity from the datastore metadata (e.g., K8s label)
+store_sensitivity = "restricted"
+
+# 2. Inject into the current request context as "Baggage"
+ctx = baggage.set_baggage("data.sensitivity", store_sensitivity)
+
+# 3. Downstream calls now carry this context automatically in their headers
+with context.attach(ctx):
+    # This RPC call to 'DownstreamService' will include the sensitivity attribute
+    call_downstream_service()
+```
+
+## Security & Governance Considerations
+
+1. **Low Cardinality**: To avoid performance degradation in metrics backends (like Prometheus), do not use unique IDs (e.g., `user_id`) in `data.*` attributes.
+2. **No Actual Data**: Never place actual PII (e.g., an email address) inside these attributes. They are for metadata only.
+3. **Mandatory Review**: Any new value added to `data.category` must be approved by the Data Governance committee to ensure consistent reporting.

docs/registry/attributes/README.md

@@ -48,6 +48,7 @@ Currently, the following namespaces exist:
 - [Container](container.md)
 - [CPU](cpu.md)
 - [CPython](cpython.md)
+- [Data](data.md)
 - [DB](db.md)
 - [Deployment](deployment.md)
 - [Destination](destination.md)

docs/registry/attributes/data.md

@@ -0,0 +1,42 @@
+<!-- NOTE: THIS FILE IS AUTOGENERATED. DO NOT EDIT BY HAND. -->
+<!-- see templates/registry/markdown/attribute_namespace.md.j2 -->
+
+# Data
+
+## Data Attributes
+
+A data attribute group represents a logical or physical collection of information (e.g., a database table, an S3 object, or a message queue) being monitored for security and governance.
+
+**Attributes:**
+
+| Key | Stability | Value Type | Description | Example Values |
+| --- | --- | --- | --- | --- |
+| <a id="data-category" href="#data-category">`data.category`</a> | ![Development](https://img.shields.io/badge/-development-blue) | string | A taxonomy identifier describing the semantic nature of the data. [1] | `pii`; `financial`; `health`; `internal`; `public` |
+| <a id="data-sensitivity" href="#data-sensitivity">`data.sensitivity`</a> | ![Development](https://img.shields.io/badge/-development-blue) | string | A classification level indicating the potential impact of unauthorized disclosure. [2] | `public`; `internal`; `confidential`; `restricted` |
+
+**[1] `data.category`:** It is used for regulatory compliance mapping and filtering in governance dashboards.
+
+**[2] `data.sensitivity`:** It drives automated security workflows like alerting and encryption.
+
+---
+
+`data.category` has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
+
+| Value | Description | Stability |
+| --- | --- | --- |
+| `financial` | Financial data (e.g., credit card numbers, bank account info). | ![Development](https://img.shields.io/badge/-development-blue) |
+| `health` | Health data (e.g., medical records, PHI). | ![Development](https://img.shields.io/badge/-development-blue) |
+| `internal` | Internal-only data. | ![Development](https://img.shields.io/badge/-development-blue) |
+| `pii` | Personally Identifiable Information. | ![Development](https://img.shields.io/badge/-development-blue) |
+| `public` | Publicly available data. | ![Development](https://img.shields.io/badge/-development-blue) |
+
+---
+
+`data.sensitivity` has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
+
+| Value | Description | Stability |
+| --- | --- | --- |
+| `confidential` | Sensitive data that requires protection from unauthorized access. | ![Development](https://img.shields.io/badge/-development-blue) |
+| `internal` | Data intended for internal use within the organization. | ![Development](https://img.shields.io/badge/-development-blue) |
+| `public` | Data that is safe for public disclosure. | ![Development](https://img.shields.io/badge/-development-blue) |
+| `restricted` | Highly sensitive data that requires strict access controls and protection. | ![Development](https://img.shields.io/badge/-development-blue) |

model/data/registry.yaml

@@ -0,0 +1,73 @@
+groups:
+  - id: registry.data
+    type: attribute_group
+    display_name: Data Attributes
+    brief: >
+      A data attribute group represents a logical or physical collection of information (e.g., a database table, an S3 object, or a message queue) being monitored for security and governance.
+    note: >
+      In a security-aware infrastructure, context transfer is the mechanism that propagates metadata—such as `data.sensitivity`—across a distributed request chain using distributed baggage.
+      This allows every service in a pipeline to be aware of the "cargo" (the data) it is currently processing, enabling dynamic guardrails such as automated encryption, audit logging, or real-time access blocking at trust boundaries.
+    attributes:
+      - id: data.category
+        type:
+          members:
+            - id: pii
+              value: 'pii'
+              brief: >
+                Personally Identifiable Information.
+              stability: development
+            - id: financial
+              value: 'financial'
+              brief: >
+                Financial data (e.g., credit card numbers, bank account info).
+              stability: development
+            - id: health
+              value: 'health'
+              brief: >
+                Health data (e.g., medical records, PHI).
+              stability: development
+            - id: internal
+              value: 'internal'
+              brief: >
+                Internal-only data.
+              stability: development
+            - id: public
+              value: 'public'
+              brief: >
+                Publicly available data.
+              stability: development
+        stability: development
+        brief: >
+          A taxonomy identifier describing the semantic nature of the data.
+        note: >
+          It is used for regulatory compliance mapping and filtering in governance dashboards.
+        examples: ["pii", "financial", "health", "internal", "public"]
+      - id: data.sensitivity
+        type:
+          members:
+            - id: public
+              value: 'public'
+              brief: >
+                Data that is safe for public disclosure.
+              stability: development
+            - id: internal
+              value: 'internal'
+              brief: >
+                Data intended for internal use within the organization.
+              stability: development
+            - id: confidential
+              value: 'confidential'
+              brief: >
+                Sensitive data that requires protection from unauthorized access.
+              stability: development
+            - id: restricted
+              value: 'restricted'
+              brief: >
+                Highly sensitive data that requires strict access controls and protection.
+              stability: development
+        stability: development
+        brief: >
+          A classification level indicating the potential impact of unauthorized disclosure.
+        note: >
+          It drives automated security workflows like alerting and encryption.
+        examples: ["public", "internal", "confidential", "restricted"]