Skip to content

fix(mcp): tag MCP SQL queries with /* atlan-mcp */ comment for log observability#220

Closed
kabhishek1001 wants to merge 1 commit intomainfrom
fix/mcp-query-observability-tagging
Closed

fix(mcp): tag MCP SQL queries with /* atlan-mcp */ comment for log observability#220
kabhishek1001 wants to merge 1 commit intomainfrom
fix/mcp-query-observability-tagging

Conversation

@kabhishek1001
Copy link
Copy Markdown

@kabhishek1001 kabhishek1001 commented Apr 16, 2026

Summary

  • Root cause context: MCP-originated SQL queries executed via query_assets_tool are currently indistinguishable from UI-initiated queries in Heka's SQL_QUERY_EXECUTED OTEL logs because pyatlan.model.query.QueryRequest has no application or source field, and Heka defaults all queries to application=adhoc.
  • Fix: Prepend /* atlan-mcp */ as a SQL block comment to every query submitted through query_asset(). This comment passes through Heka unchanged and appears in the db.statement field of the OTEL log, enabling reliable log filtering.
  • Why comment, not field: QueryRequest exposes only sql, data_source_name, and default_schema. AtlanObject uses Extra.ignore, so passing application= silently no-ops. A SQL comment is the only zero-dependency way to tag origin without pyatlan SDK changes.

Change

modelcontextprotocol/tools/query.py

# Before
query_request = QueryRequest(
    sql=sql,
    data_source_name=connection_qualified_name,
    default_schema=default_schema,
)

# After
tagged_sql = f"/* atlan-mcp */ {sql.strip()}"
query_request = QueryRequest(
    sql=tagged_sql,
    data_source_name=connection_qualified_name,
    default_schema=default_schema,
)

Log impact

After this fix, MCP queries are directly filterable in ClickHouse:

SELECT Body FROM otel_logs.service_logs
WHERE ServiceName = 'heka'
  AND Body LIKE '%/* atlan-mcp */%'
  AND Body LIKE '%jdbcExtras%'

Related

This is the observability companion to a separate Heka-side fix where credentialStrategy=custombyocsso unconditionally uses the service account private key for Snowflake JDBC connections, ignoring the validated byocSsoAccessToken. The Heka fix is required to actually resolve the RBAC bypass; this PR ensures MCP queries are auditable in the interim.

Test plan

  • Run query_assets_tool against a Snowflake connection on a test tenant
  • Confirm /* atlan-mcp */ appears in db.statement field in Heka OTEL logs (otel_logs.service_logs where ServiceName='heka')
  • Confirm query executes successfully with comment prefix (Snowflake, BigQuery, Redshift all support /* */ block comments)
  • Verify no regression in existing tool tests

🤖 Generated with Claude Code

@kabhishek1001 @claude
fix(mcp): tag MCP-originated SQL queries with origin comment for obse…
a835b1b 
…rvability

Prepend `/* atlan-mcp */` to all SQL queries executed via `query_asset`
so they are identifiable in Heka's `db.statement` OTEL field. Without
this tag, MCP queries are indistinguishable from UI-initiated queries in
downstream log analysis.

`QueryRequest` has no `application` or source field, making a SQL block
comment the only portable origin tag that survives to the execution log
without pyatlan SDK changes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hk669 Hk669 Awaiting requested review from Hk669 Hk669 is a code owner

@firecast firecast Awaiting requested review from firecast firecast is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kabhishek1001