metadata: MD.String should only show metadata known to not contain tokens or other PII

[dfawley]

Unfortunately, we know this change will break etcd, so it should not be done yet. (See: https://github.com/etcd-io/etcd/blob/21e5876f7f0539509c277b4c2a3ba1b1599b1721/client/v3/watch.go#L1038-L1043.) I will file an issue in the etcd repo and link it here.

[dfawley]

Update: the changes have been made to etcd to stop relying on this, and have been backported to release branches, but we still need to wait for their releases before implementing anything.

[easwars]

etcd seems to have made plenty of releases since the last update on this issue. So, we are not blocked anymore.

[easwars]

We seem to have removed the MD.String method in https://github.com/grpc/grpc-go/pull/7372.

My memory is very hazy here. Was the plan that we add it back, but only print keys that we think are safe? But folks can still print the whole metadata by casting it to the underlying type map[string][]string, right. Do we really need to do this? @dfawley

[dfawley]

Correct, the plan was to re-add it in a way where it censored anything that wasn't specifically allowed, to help prevent sensitive data leakage if someone does log(md) or log(some_thing_containing_metadata). Users can always intentionally print all the fields if that is what they really want, but the idea was to try to prevent accidents.