Metrics for cloud requests (#135796)

ankit--sethi · slobodanadamovic · web-flow · commit 23e7d539bd47 · 2025-10-10T20:53:18.000+02:00
* working commit

* Update x-pack/plugin/security/src/main/java/module-info.java

Co-authored-by: Slobodan Adamović &lt;slobodanadamovic@users.noreply.github.com&gt;

* clean up

---------

Co-authored-by: Slobodan Adamović &lt;slobodanadamovic@users.noreply.github.com&gt;
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java
@@ -12,6 +12,7 @@
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.telemetry.TelemetryProvider;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
@@ -64,6 +65,9 @@ interface SecurityComponents {
 
         /** Provides the ability to access project-scoped data from the global scope **/
         ProjectResolver projectResolver();
+
+        /** Provides the ability to access the APM tracer and meter registry **/
+        TelemetryProvider telemetryProvider();
     }
 
     /**
diff --git a/x-pack/plugin/security/src/main/java/module-info.java b/x-pack/plugin/security/src/main/java/module-info.java
@@ -80,6 +80,7 @@
     exports org.elasticsearch.xpack.security.transport.extension to org.elasticsearch.internal.security;
     exports org.elasticsearch.xpack.security.transport to org.elasticsearch.internal.security;
     exports org.elasticsearch.xpack.security.audit to org.elasticsearch.internal.security;
+    exports org.elasticsearch.xpack.security.metric to org.elasticsearch.internal.security;
 
     provides org.elasticsearch.index.SlowLogFieldProvider with org.elasticsearch.xpack.security.slowlog.SecuritySlowLogFieldProvider;
 
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -865,7 +865,8 @@ Collection<Object> createComponents(
             clusterService,
             resourceWatcherService,
             userRoleMapper,
-            projectResolver
+            projectResolver,
+            telemetryProvider
         );
         Map<String, Realm.Factory> realmFactories = new HashMap<>(
             InternalRealms.getFactories(
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/InstrumentedSecurityActionListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/InstrumentedSecurityActionListener.java
@@ -42,4 +42,28 @@ public static <R, C> ActionListener<AuthenticationResult<R>> wrapForAuthc(
         }), () -> metrics.recordTime(context, startTimeNano));
     }
 
+    /**
+     * A simpler variant that re-uses the Authentication Result as the context. This can be handy in situations where the attributes that
+     * are of interest are available only after the authentication is completed and not before.
+     * As a natural consequence, there will be no context available at the point of recording start time and in cases of exceptional failure
+     */
+    public static <R> ActionListener<AuthenticationResult<R>> wrapForAuthc(
+        final SecurityMetrics<AuthenticationResult<R>> metrics,
+        final ActionListener<AuthenticationResult<R>> listener
+    ) {
+        assert metrics.type().group() == SecurityMetricGroup.AUTHC;
+        final long startTimeNano = metrics.relativeTimeInNanos();
+        return ActionListener.runBefore(ActionListener.wrap(result -> {
+            if (result.isAuthenticated()) {
+                metrics.recordSuccess(result);
+            } else {
+                metrics.recordFailure(result, result.getMessage());
+            }
+            listener.onResponse(result);
+        }, e -> {
+            metrics.recordFailure(null, e.getMessage());
+            listener.onFailure(e);
+        }), () -> metrics.recordTime(null, startTimeNano));
+    }
+
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetricType.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetricType.java
@@ -19,6 +19,25 @@ public enum SecurityMetricType {
         new SecurityMetricInfo("es.security.authc.api_key.time", "Time it took (in nanoseconds) to execute API key authentication.", "ns")
     ),
 
+    CLOUD_AUTHC_API_KEY(
+        SecurityMetricGroup.AUTHC,
+        new SecurityMetricInfo(
+            "es.security.authc.cloud_api_key.success.total",
+            "Number of successful cloud API key authentications.",
+            "count"
+        ),
+        new SecurityMetricInfo(
+            "es.security.authc.cloud_api_key.failures.total",
+            "Number of failed cloud API key authentications.",
+            "count"
+        ),
+        new SecurityMetricInfo(
+            "es.security.authc.cloud_api_key.time",
+            "Time it took (in nanoseconds) to execute cloud API key authentication.",
+            "ns"
+        )
+    ),
+
     AUTHC_SERVICE_ACCOUNT(
         SecurityMetricGroup.AUTHC,
         new SecurityMetricInfo(
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ExtensionComponents.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ExtensionComponents.java
@@ -12,6 +12,7 @@
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.telemetry.TelemetryProvider;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.SecurityExtension;
@@ -27,21 +28,24 @@ public final class ExtensionComponents implements SecurityExtension.SecurityComp
     private final ResourceWatcherService resourceWatcherService;
     private final UserRoleMapper roleMapper;
     private final ProjectResolver projectResolver;
+    private final TelemetryProvider telemetryProvider;
 
     public ExtensionComponents(
         Environment environment,
         Client client,
         ClusterService clusterService,
         ResourceWatcherService resourceWatcherService,
         UserRoleMapper roleMapper,
-        ProjectResolver projectResolver
+        ProjectResolver projectResolver,
+        TelemetryProvider telemetryProvider
     ) {
         this.environment = environment;
         this.client = client;
         this.clusterService = clusterService;
         this.resourceWatcherService = resourceWatcherService;
         this.roleMapper = roleMapper;
         this.projectResolver = projectResolver;
+        this.telemetryProvider = telemetryProvider;
     }
 
     @Override
@@ -83,4 +87,9 @@ public UserRoleMapper roleMapper() {
     public ProjectResolver projectResolver() {
         return projectResolver;
     }
+
+    @Override
+    public TelemetryProvider telemetryProvider() {
+        return telemetryProvider;
+    }
 }
