Client

Datastore >= v1.14.0

Environment

Any

Go Environment

Any (but tested on go version go1.21.11 darwin/arm64)

Code

package main

import (
	"cloud.google.com/go/datastore"
	"fmt"
)

func main() {
	k := datastore.NameKey("Foo", "Bar", nil)
	fmt.Printf("Key (no namespace)\t%s\n", k)

	k.Namespace = "Sensitive"
	fmt.Printf("Key (namespaced)\t%s\n", k)
}

Expected behavior

Calling String() on a *datastore.Key functions the way it always did, keeping namespace opaque.

Key (no namespace)      /Foo,Bar
Key (namespaced)        /Foo,Bar

Actual behavior

Namespace is leaked when calling String().

Key (no namespace)      /Foo,Bar
Key (namespaced)        /Foo,Bar,Sensitive

Additional context

I understand that the change was made in #8363 to fix a real bug. However, the fix changed a stable API to achieve its goals, making it difficult to consume the latest library if there are tests that check for logs or other things containing the string value of a key. Furthermore, as we use namespaces for multi-tenancy, it's important that we don't accidentally leak namespace values outside of logs (via API or some other means). While it's possible to audit our code to never use a String() representation of the key, or to ever present keys at all, it feels like the best course of action is to not include the namespace in the string representation at all.