Move azure.identity mappings to categories

It seems azure.identity is missing from some categories, and there are
significant structural and semantic differences between them.

Author: zmoog

extension/encoding/azureencodingextension/internal/unmarshaler/logs/README.md

@@ -47,11 +47,19 @@ in OpenTelemetry Collector pipeline (for example, using `transformprocessor`) or
 
 ### Identity Field
 
-The `identity` field contains authorization and claims information. Rather than storing it as a nested structure,
-specific fields are extracted into flat, semantically meaningful attributes. Only known useful fields are extracted
-to minimize the risk of accidentally including sensitive data.
+The `identity` field has different structures across Azure log categories, so identity parsing is handled per-category:
 
-#### Authorization Fields
+- **Activity Logs**: Specific known fields are extracted into flat, semantically meaningful attributes (see below)
+- **Storage Logs**: Stored as a nested map under `azure.identity` (different structure with authorization as an array)
+- **Unknown/Generic categories**: Stored as a nested map under `azure.identity`
+
+Only known useful fields are extracted to minimize the risk of accidentally including sensitive data.
+
+#### Activity Log Identity
+
+Activity Logs contain caller identity information with JWT claims from Azure AD/Entra ID tokens and authorization details.
+
+##### Authorization Fields
 
 | Azure identity Field | OpenTelemetry | OpenTelemetry Scope |
 |---------------------|---------------|---------------------|
@@ -64,7 +72,7 @@ to minimize the risk of accidentally including sensitive data.
 | `identity.authorization.evidence.principalId` | `azure.identity.authorization.evidence.principal.id` | Log Attribute |
 | `identity.authorization.evidence.principalType` | `azure.identity.authorization.evidence.principal.type` | Log Attribute |
 
-#### Claims Fields
+##### Claims Fields
 
 Unix timestamps (`exp`, `nbf`, `iat`) are converted to RFC3339 format.
 
@@ -82,9 +90,17 @@ Unix timestamps (`exp`, `nbf`, `iat`) are converted to RFC3339 format.
 | `http://schemas.microsoft.com/claims/authnmethodsreferences` | `azure.identity.auth.methods.references` | Log Attribute |
 | `http://schemas.microsoft.com/identity/claims/identityprovider` | `azure.identity.provider` | Log Attribute |
 | `http://schemas.microsoft.com/identity/claims/objectidentifier` | `azure.identity.identifier.object` | Log Attribute |
-| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` | `user.name` | Log Attribute |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` | `user.id` | Log Attribute |
 | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | `user.email` | Log Attribute |
 
+#### Storage Log Identity
+
+Storage Logs have a different identity structure containing authorization decisions as an array, token information, and requester details. The entire identity object is stored as a nested map under `azure.identity`.
+
+#### Unknown/Generic Categories
+
+For log categories where the identity structure is not known, the entire identity object is stored as a nested map under `azure.identity` to preserve all data.
+
 ## Application Gateway
 
 ### Application Gateway Access Logs (both v1 and v2)

extension/encoding/azureencodingextension/internal/unmarshaler/logs/category.go

@@ -7,9 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"time"
 
-	gojson "github.com/goccy/go-json"
 	jsoniter "github.com/json-iterator/go"
 	"go.opentelemetry.io/collector/pdata/pcommon"
 	"go.opentelemetry.io/collector/pdata/plog"
@@ -110,80 +108,6 @@ const (
 	attributeAzureRequestDuration = "azure.request.duration"
 )
 
-// Constants for Identity > claims
-const (
-	identityClaimIssuer    = "iss"
-	identityClaimSubject   = "sub"
-	identityClaimAudience  = "aud"
-	identityClaimExpires   = "exp"
-	identityClaimNotBefore = "nbf"
-	identityClaimIssuedAt  = "iat"
-
-	identityClaimScope                 = "http://schemas.microsoft.com/identity/claims/scope"
-	identityClaimType                  = "idtyp"
-	identityClaimApplicationID         = "appid"
-	identityClaimAuthMethodsReferences = "http://schemas.microsoft.com/claims/authnmethodsreferences"
-	identityClaimProvider              = "http://schemas.microsoft.com/identity/claims/identityprovider"
-	identityClaimIdentifierObject      = "http://schemas.microsoft.com/identity/claims/objectidentifier"
-	identityClaimIdentifierName        = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
-	identityClaimEmailAddress          = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-)
-
-// Identity specific attributes
-const (
-	attributeIdentityAuthorizationScope  = "azure.identity.authorization.scope"
-	attributeIdentityAuthorizationAction = "azure.identity.authorization.action"
-	// Identity > authorization > evidence
-	attributeIdentityAuthorizationEvidenceRole                = "azure.identity.authorization.evidence.role"
-	attributeIdentityAuthorizationEvidenceRoleAssignmentScope = "azure.identity.authorization.evidence.role.assignment.scope"
-	attributeIdentityAuthorizationEvidenceRoleAssignmentID    = "azure.identity.authorization.evidence.role.assignment.id"
-	attributeIdentityAuthorizationEvidenceRoleDefinitionID    = "azure.identity.authorization.evidence.role.definition.id"
-	attributeIdentityAuthorizationEvidencePrincipalID         = "azure.identity.authorization.evidence.principal.id"
-	attributeIdentityAuthorizationEvidencePrincipalType       = "azure.identity.authorization.evidence.principal.type"
-	// Identity > claims (standard JWT claims)
-	attributeIdentityClaimsAudience  = "azure.identity.audience"
-	attributeIdentityClaimsIssuer    = "azure.identity.issuer"
-	attributeIdentityClaimsSubject   = "azure.identity.subject"
-	attributeIdentityClaimsNotAfter  = "azure.identity.not_after"
-	attributeIdentityClaimsNotBefore = "azure.identity.not_before"
-	attributeIdentityClaimsCreated   = "azure.identity.created"
-	// Identity > claims (Azure specific claims)
-	attributeIdentityClaimsScope                 = "azure.identity.scope"
-	attributeIdentityClaimsType                  = "azure.identity.type"
-	attributeIdentityClaimsApplicationID         = "azure.identity.application.id"
-	attributeIdentityClaimsAuthMethodsReferences = "azure.identity.auth.methods.references"
-	attributeIdentityClaimsIdentifierObject      = "azure.identity.identifier.object"
-	attributeIdentityClaimsIdentifierName        = "user.name"
-	attributeIdentityClaimsProvider              = "azure.identity.provider"
-)
-
-// evidence describes role assignment evidence in identity authorization
-type evidence struct {
-	Role                string `json:"role"`
-	RoleAssignmentScope string `json:"roleAssignmentScope"`
-	RoleAssignmentID    string `json:"roleAssignmentId"`
-	RoleDefinitionID    string `json:"roleDefinitionId"`
-	PrincipalID         string `json:"principalId"`
-	PrincipalType       string `json:"principalType"`
-}
-
-// authorization describes identity authorization details
-type authorization struct {
-	Scope    string    `json:"scope"`
-	Action   string    `json:"action"`
-	Evidence *evidence `json:"evidence"`
-}
-
-// identity describes the identity of the user or application that performed the operation
-// described by the log event.
-type identity struct {
-	// Claims usually contains the JWT token used by Active Directory
-	// to authenticate the user or application to perform this
-	// operation in Resource Manager.
-	Claims        map[string]string `json:"claims"`
-	Authorization *authorization    `json:"authorization"`
-}
-
 var errNoTimestamp = errors.New("no valid time fields are set on Log record ('time' or 'timestamp')")
 
 // azureLogRecord is a common interface for all category-specific structures
@@ -200,21 +124,20 @@ type azureLogRecord interface {
 // This schema are applicable to most Resource Logs and
 // can be extended with additional fields for specific Log Categories
 type azureLogRecordBase struct {
-	Time              string          `json:"time"`      // most Categories use this field for timestamp
-	TimeStamp         string          `json:"timestamp"` // some Categories use this field for timestamp
-	ResourceID        string          `json:"resourceId"`
-	TenantID          string          `json:"tenantId"`
-	OperationName     string          `json:"operationName"`
-	OperationVersion  *string         `json:"operationVersion"`
-	ResultType        *string         `json:"resultType"`
-	ResultSignature   *string         `json:"resultSignature"`
-	ResultDescription *string         `json:"resultDescription"`
-	DurationMs        *json.Number    `json:"durationMs"` // int
-	CallerIPAddress   *string         `json:"callerIpAddress"`
-	CorrelationID     *string         `json:"correlationId"`
-	Identity          json.RawMessage `json:"identity"`
-	Level             *json.Number    `json:"level"`
-	Location          string          `json:"location"`
+	Time              string       `json:"time"`      // most Categories use this field for timestamp
+	TimeStamp         string       `json:"timestamp"` // some Categories use this field for timestamp
+	ResourceID        string       `json:"resourceId"`
+	TenantID          string       `json:"tenantId"`
+	OperationName     string       `json:"operationName"`
+	OperationVersion  *string      `json:"operationVersion"`
+	ResultType        *string      `json:"resultType"`
+	ResultSignature   *string      `json:"resultSignature"`
+	ResultDescription *string      `json:"resultDescription"`
+	DurationMs        *json.Number `json:"durationMs"` // int
+	CallerIPAddress   *string      `json:"callerIpAddress"`
+	CorrelationID     *string      `json:"correlationId"`
+	Level             *json.Number `json:"level"`
+	Location          string       `json:"location"`
 }
 
 // GetResource returns resource attributes for the parsed Log Record
@@ -274,99 +197,10 @@ func (r *azureLogRecordBase) PutCommonAttributes(attrs pcommon.Map, _ pcommon.Va
 	unmarshaler.AttrPutStrPtrIf(attrs, string(conventions.NetworkPeerAddressKey), r.CallerIPAddress)
 	unmarshaler.AttrPutStrPtrIf(attrs, attributeAzureCorrelationID, r.CorrelationID)
 	unmarshaler.AttrPutIntNumberPtrIf(attrs, attributeAzureOperationDuration, r.DurationMs)
-	addIdentityAttributes(r.Identity, attrs)
-}
-
-// addIdentityAttributes extracts identity details
-//
-// The `identity` field is part of the Top-level common schema for
-// resource logs and it's also in use in the activity logs.
-//
-// We're applying the strategy to only pick the identity elements
-// that we know are useful. This approach also minimizes the risk
-// of accidentally including sensitive data.
-func addIdentityAttributes(identityJSON json.RawMessage, attrs pcommon.Map) {
-	if len(identityJSON) == 0 {
-		return
-	}
-
-	var id identity
-	if err := gojson.Unmarshal(identityJSON, &id); err != nil {
-		return
-	}
-
-	// Authorization
-	// ------------------------------------------------------------
-
-	if id.Authorization != nil {
-		unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationScope, id.Authorization.Scope)
-		unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationAction, id.Authorization.Action)
-
-		if id.Authorization.Evidence != nil {
-			unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationEvidenceRole, id.Authorization.Evidence.Role)
-			unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationEvidenceRoleAssignmentScope, id.Authorization.Evidence.RoleAssignmentScope)
-			unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationEvidenceRoleAssignmentID, id.Authorization.Evidence.RoleAssignmentID)
-			unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationEvidenceRoleDefinitionID, id.Authorization.Evidence.RoleDefinitionID)
-			unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationEvidencePrincipalID, id.Authorization.Evidence.PrincipalID)
-			unmarshaler.AttrPutStrIf(attrs, attributeIdentityAuthorizationEvidencePrincipalType, id.Authorization.Evidence.PrincipalType)
-		}
-	}
-
-	// Claims
-	// ------------------------------------------------------------
-
-	// Extract known claims details we want to include in the
-	// log record.
-	// Extract common claim fields
-
-	if iss := id.Claims[identityClaimIssuer]; iss != "" {
-		attrs.PutStr(attributeIdentityClaimsIssuer, iss)
-	}
-	if sub := id.Claims[identityClaimSubject]; sub != "" {
-		attrs.PutStr(attributeIdentityClaimsSubject, sub)
-	}
-	if aud := id.Claims[identityClaimAudience]; aud != "" {
-		attrs.PutStr(attributeIdentityClaimsAudience, aud)
-	}
-	if exp := id.Claims[identityClaimExpires]; exp != "" {
-		if expTime, err := parseUnixTimestamp(exp); err == nil {
-			attrs.PutStr(attributeIdentityClaimsNotAfter, expTime.Format(time.RFC3339))
-		}
-	}
-	if nbf := id.Claims[identityClaimNotBefore]; nbf != "" {
-		if nbfTime, err := parseUnixTimestamp(nbf); err == nil {
-			attrs.PutStr(attributeIdentityClaimsNotBefore, nbfTime.Format(time.RFC3339))
-		}
-	}
-	if iat := id.Claims[identityClaimIssuedAt]; iat != "" {
-		if iatTime, err := parseUnixTimestamp(iat); err == nil {
-			attrs.PutStr(attributeIdentityClaimsCreated, iatTime.Format(time.RFC3339))
-		}
-	}
-	if scope := id.Claims[identityClaimScope]; scope != "" {
-		attrs.PutStr(attributeIdentityClaimsScope, scope)
-	}
-	if idtyp := id.Claims[identityClaimType]; idtyp != "" {
-		attrs.PutStr(attributeIdentityClaimsType, idtyp)
-	}
-	if appid := id.Claims[identityClaimApplicationID]; appid != "" {
-		attrs.PutStr(attributeIdentityClaimsApplicationID, appid)
-	}
-	if authmethods := id.Claims[identityClaimAuthMethodsReferences]; authmethods != "" {
-		attrs.PutStr(attributeIdentityClaimsAuthMethodsReferences, authmethods)
-	}
-	if provider := id.Claims[identityClaimProvider]; provider != "" {
-		attrs.PutStr(attributeIdentityClaimsProvider, provider)
-	}
-	if object := id.Claims[identityClaimIdentifierObject]; object != "" {
-		attrs.PutStr(attributeIdentityClaimsIdentifierObject, object)
-	}
-	if name := id.Claims[identityClaimIdentifierName]; name != "" {
-		attrs.PutStr(attributeIdentityClaimsIdentifierName, name)
-	}
-	if email := id.Claims[identityClaimEmailAddress]; email != "" {
-		attrs.PutStr(string(conventions.UserEmailKey), email)
-	}
+	// Identity is NOT processed here. Each category-specific struct is
+	// responsible for calling the appropriate identity parser in its own
+	// PutCommonAttributes override, because the identity field has different
+	// structures across Azure log categories (Activity, Storage, etc.).
 }
 
 // PutProperties puts already attributes from "properties" field into provided Attributes Map/Body
@@ -376,10 +210,12 @@ func (*azureLogRecordBase) PutProperties(_ pcommon.Map, _ pcommon.Value) error {
 	return nil
 }
 
-// azureLogRecordBase represents a single Azure log following the common schema,
-// but has unknown for us Category
+// azureLogRecordGeneric represents a single Azure log following the common schema,
+// but has unknown for us Category.
 // In this case we couldn't correctly map properties to attributes and simply copy them
-// as-is to the attributes
+// as-is to the attributes.
+// Identity is not handled for unknown categories - each known category handles
+// its own identity structure with a typed struct.
 type azureLogRecordGeneric struct {
 	azureLogRecordBase