Remove high-cardinality security metric's attributes (#136534)

slobodanadamovic · web-flow · commit 28aa12310e4c · 2025-10-15T18:44:36.000+02:00
Removing high-cardinality metric attributes to avoid dimensionality
explosion that can cause performance issues.

These attributes are not used. The original idea was that we may want to
track authentication times per e.g. individual API key, but that turned
out unnecessary. We are mostly interested in recording average and
percentile authentication times.
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyAuthenticator.java
@@ -21,17 +21,14 @@
 import org.elasticsearch.xpack.security.metric.SecurityMetricType;
 import org.elasticsearch.xpack.security.metric.SecurityMetrics;
 
-import java.util.HashMap;
 import java.util.Map;
 import java.util.function.LongSupplier;
 
 import static org.elasticsearch.core.Strings.format;
 
 class ApiKeyAuthenticator implements Authenticator {
 
-    public static final String ATTRIBUTE_API_KEY_ID = "es.security.api_key_id";
     public static final String ATTRIBUTE_API_KEY_TYPE = "es.security.api_key_type";
-    public static final String ATTRIBUTE_API_KEY_AUTHC_FAILURE_REASON = "es.security.api_key_authc_failure_reason";
 
     private static final Logger logger = LogManager.getLogger(ApiKeyAuthenticator.class);
 
@@ -47,7 +44,7 @@ class ApiKeyAuthenticator implements Authenticator {
         this.authenticationMetrics = new SecurityMetrics<>(
             SecurityMetricType.AUTHC_API_KEY,
             meterRegistry,
-            this::buildMetricAttributes,
+            credentials -> Map.of(ATTRIBUTE_API_KEY_TYPE, credentials.getExpectedType().value()),
             nanoTimeSupplier
         );
         this.apiKeyService = apiKeyService;
@@ -104,14 +101,4 @@ public void authenticate(Context context, ActionListener<AuthenticationResult<Au
             }, e -> listener.onFailure(context.getRequest().exceptionProcessingRequest(e, null))))
         );
     }
-
-    private Map<String, Object> buildMetricAttributes(ApiKeyCredentials credentials, String failureReason) {
-        final Map<String, Object> attributes = new HashMap<>(failureReason != null ? 3 : 2);
-        attributes.put(ATTRIBUTE_API_KEY_ID, credentials.getId());
-        attributes.put(ATTRIBUTE_API_KEY_TYPE, credentials.getExpectedType().value());
-        if (failureReason != null) {
-            attributes.put(ATTRIBUTE_API_KEY_AUTHC_FAILURE_REASON, failureReason);
-        }
-        return attributes;
-    }
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/OAuth2TokenAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/OAuth2TokenAuthenticator.java
@@ -26,8 +26,6 @@
 
 class OAuth2TokenAuthenticator implements Authenticator {
 
-    public static final String ATTRIBUTE_AUTHC_FAILURE_REASON = "es.security.token_authc_failure_reason";
-
     private static final Logger logger = LogManager.getLogger(OAuth2TokenAuthenticator.class);
 
     private final SecurityMetrics<BearerToken> authenticationMetrics;
@@ -41,7 +39,7 @@ class OAuth2TokenAuthenticator implements Authenticator {
         this.authenticationMetrics = new SecurityMetrics<>(
             SecurityMetricType.AUTHC_OAUTH2_TOKEN,
             meterRegistry,
-            this::buildMetricAttributes,
+            token -> Map.of(),
             nanoTimeSupplier
         );
         this.tokenService = tokenService;
@@ -88,10 +86,4 @@ private void doAuthenticate(Context context, BearerToken bearerToken, ActionList
         }));
     }
 
-    private Map<String, Object> buildMetricAttributes(BearerToken token, String failureReason) {
-        if (failureReason != null) {
-            return Map.of(ATTRIBUTE_AUTHC_FAILURE_REASON, failureReason);
-        }
-        return Map.of();
-    }
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/RealmsAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/RealmsAuthenticator.java
@@ -32,7 +32,6 @@
 
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -48,7 +47,6 @@ public class RealmsAuthenticator implements Authenticator {
 
     public static final String ATTRIBUTE_REALM_NAME = "es.security.realm_name";
     public static final String ATTRIBUTE_REALM_TYPE = "es.security.realm_type";
-    public static final String ATTRIBUTE_REALM_AUTHC_FAILURE_REASON = "es.security.realm_authc_failure_reason";
 
     private static final Logger logger = LogManager.getLogger(RealmsAuthenticator.class);
 
@@ -71,7 +69,7 @@ public RealmsAuthenticator(AtomicLong numInvalidation, Cache<String, Realm> last
         this.authenticationMetrics = new SecurityMetrics<>(
             SecurityMetricType.AUTHC_REALMS,
             meterRegistry,
-            this::buildMetricAttributes,
+            realm -> Map.ofEntries(Map.entry(ATTRIBUTE_REALM_NAME, realm.name()), Map.entry(ATTRIBUTE_REALM_TYPE, realm.type())),
             nanoTimeSupplier
         );
     }
@@ -418,14 +416,4 @@ public synchronized Throwable fillInStackTrace() {
             return this;
         }
     }
-
-    private Map<String, Object> buildMetricAttributes(Realm realm, String failureReason) {
-        final Map<String, Object> attributes = new HashMap<>(failureReason != null ? 3 : 2);
-        attributes.put(ATTRIBUTE_REALM_NAME, realm.name());
-        attributes.put(ATTRIBUTE_REALM_TYPE, realm.type());
-        if (failureReason != null) {
-            attributes.put(ATTRIBUTE_REALM_AUTHC_FAILURE_REASON, failureReason);
-        }
-        return attributes;
-    }
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ServiceAccountAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ServiceAccountAuthenticator.java
@@ -21,15 +21,12 @@
 import org.elasticsearch.xpack.security.metric.SecurityMetricType;
 import org.elasticsearch.xpack.security.metric.SecurityMetrics;
 
-import java.util.HashMap;
 import java.util.Map;
 import java.util.function.LongSupplier;
 
 class ServiceAccountAuthenticator implements Authenticator {
 
     public static final String ATTRIBUTE_SERVICE_ACCOUNT_ID = "es.security.service_account_id";
-    public static final String ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME = "es.security.service_account_token_name";
-    public static final String ATTRIBUTE_AUTHC_FAILURE_REASON = "es.security.service_account_authc_failure_reason";
 
     private static final Logger logger = LogManager.getLogger(ServiceAccountAuthenticator.class);
     private final ServiceAccountService serviceAccountService;
@@ -52,7 +49,7 @@ class ServiceAccountAuthenticator implements Authenticator {
         this.authenticationMetrics = new SecurityMetrics<>(
             SecurityMetricType.AUTHC_SERVICE_ACCOUNT,
             meterRegistry,
-            this::buildMetricAttributes,
+            serviceAccountToken -> Map.of(ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal()),
             nanoTimeSupplier
         );
     }
@@ -99,14 +96,4 @@ private void doAuthenticate(
             listener.onFailure(context.getRequest().exceptionProcessingRequest(e, serviceAccountToken));
         }));
     }
-
-    private Map<String, Object> buildMetricAttributes(ServiceAccountToken serviceAccountToken, String failureReason) {
-        final Map<String, Object> attributes = new HashMap<>(3);
-        attributes.put(ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal());
-        attributes.put(ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME, serviceAccountToken.getTokenName());
-        if (failureReason != null) {
-            attributes.put(ATTRIBUTE_AUTHC_FAILURE_REASON, failureReason);
-        }
-        return attributes;
-    }
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/InstrumentedSecurityActionListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/InstrumentedSecurityActionListener.java
@@ -33,11 +33,11 @@ public static <R, C> ActionListener<AuthenticationResult<R>> wrapForAuthc(
             if (result.isAuthenticated()) {
                 metrics.recordSuccess(context);
             } else {
-                metrics.recordFailure(context, result.getMessage());
+                metrics.recordFailure(context);
             }
             listener.onResponse(result);
         }, e -> {
-            metrics.recordFailure(context, e.getMessage());
+            metrics.recordFailure(context);
             listener.onFailure(e);
         }), () -> metrics.recordTime(context, startTimeNano));
     }
@@ -57,11 +57,11 @@ public static <R> ActionListener<AuthenticationResult<R>> wrapForAuthc(
             if (result.isAuthenticated()) {
                 metrics.recordSuccess(result);
             } else {
-                metrics.recordFailure(result, result.getMessage());
+                metrics.recordFailure(result);
             }
             listener.onResponse(result);
         }, e -> {
-            metrics.recordFailure(null, e.getMessage());
+            metrics.recordFailure(null);
             listener.onFailure(e);
         }), () -> metrics.recordTime(null, startTimeNano));
     }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetricAttributesBuilder.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetricAttributesBuilder.java
@@ -12,10 +12,6 @@
 @FunctionalInterface
 public interface SecurityMetricAttributesBuilder<C> {
 
-    Map<String, Object> build(C context, String failureReason);
-
-    default Map<String, Object> build(C context) {
-        return build(context, null);
-    }
+    Map<String, Object> build(C context);
 
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetrics.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetrics.java
@@ -69,10 +69,9 @@ public void recordSuccess(final C context) {
      * Records a single failed execution.
      *
      * @param context       The context object which is used to attach additional attributes to failed metric.
-     * @param failureReason The optional failure reason which is stored as an attributed with recorded failure metric.
      */
-    public void recordFailure(final C context, final String failureReason) {
-        this.failuresCounter.incrementBy(1L, attributesBuilder.build(context, failureReason));
+    public void recordFailure(final C context) {
+        this.failuresCounter.incrementBy(1L, attributesBuilder.build(context));
     }
 
     /**
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyAuthenticatorTests.java
@@ -114,10 +114,7 @@ public void testRecordingSuccessfulAuthenticationMetrics() {
         assertSingleSuccessAuthMetric(
             telemetryPlugin,
             SecurityMetricType.AUTHC_API_KEY,
-            Map.ofEntries(
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value())
-            )
+            Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
         );
 
         // verify that there were no failures recorded
@@ -128,10 +125,7 @@ public void testRecordingSuccessfulAuthenticationMetrics() {
             telemetryPlugin,
             SecurityMetricType.AUTHC_API_KEY,
             executionTimeInNanos,
-            Map.ofEntries(
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value())
-            )
+            Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
         );
     }
 
@@ -175,23 +169,15 @@ public void testRecordingFailedAuthenticationMetrics() {
             assertSingleFailedAuthMetric(
                 telemetryPlugin,
                 SecurityMetricType.AUTHC_API_KEY,
-                Map.ofEntries(
-                    Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                    Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()),
-                    Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_AUTHC_FAILURE_REASON, "terminated API key auth")
-                )
+                Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
             );
         } else {
             var authResult = future.actionGet();
             assertThat(authResult.isAuthenticated(), equalTo(false));
             assertSingleFailedAuthMetric(
                 telemetryPlugin,
                 SecurityMetricType.AUTHC_API_KEY,
-                Map.ofEntries(
-                    Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                    Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()),
-                    Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_AUTHC_FAILURE_REASON, "unsuccessful API key auth")
-                )
+                Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
             );
         }
 
@@ -203,10 +189,7 @@ public void testRecordingFailedAuthenticationMetrics() {
             telemetryPlugin,
             SecurityMetricType.AUTHC_API_KEY,
             executionTimeInNanos,
-            Map.ofEntries(
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value())
-            )
+            Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
         );
     }
 
@@ -241,11 +224,7 @@ public void testRecordingFailedAuthenticationMetricsOnExceptions() {
         assertSingleFailedAuthMetric(
             telemetryPlugin,
             SecurityMetricType.AUTHC_API_KEY,
-            Map.ofEntries(
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()),
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_AUTHC_FAILURE_REASON, "API key auth exception")
-            )
+            Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
         );
 
         // verify that there were no successes recorded
@@ -256,10 +235,7 @@ public void testRecordingFailedAuthenticationMetricsOnExceptions() {
             telemetryPlugin,
             SecurityMetricType.AUTHC_API_KEY,
             executionTimeInNanos,
-            Map.ofEntries(
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_ID, apiKeyCredentials.getId()),
-                Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value())
-            )
+            Map.ofEntries(Map.entry(ApiKeyAuthenticator.ATTRIBUTE_API_KEY_TYPE, apiKeyCredentials.getExpectedType().value()))
         );
     }
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/OAuth2TokenAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/OAuth2TokenAuthenticatorTests.java
@@ -112,11 +112,7 @@ public void testRecordingFailedAuthenticationMetrics() {
         assertThat(e, sameInstance(failureError));
 
         // verify we recorded failure metric
-        assertSingleFailedAuthMetric(
-            telemetryPlugin,
-            SecurityMetricType.AUTHC_OAUTH2_TOKEN,
-            Map.ofEntries(Map.entry(OAuth2TokenAuthenticator.ATTRIBUTE_AUTHC_FAILURE_REASON, "failed to authenticate OAuth2 token"))
-        );
+        assertSingleFailedAuthMetric(telemetryPlugin, SecurityMetricType.AUTHC_OAUTH2_TOKEN, Map.of());
 
         // verify that there were no successes recorded
         assertZeroSuccessAuthMetrics(telemetryPlugin, SecurityMetricType.AUTHC_OAUTH2_TOKEN);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsAuthenticatorTests.java
@@ -345,8 +345,7 @@ public void testRecordingFailedAuthenticationMetric() {
             SecurityMetricType.AUTHC_REALMS,
             Map.ofEntries(
                 Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_NAME, unsuccessfulRealm.name()),
-                Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_TYPE, unsuccessfulRealm.type()),
-                Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_AUTHC_FAILURE_REASON, "unsuccessful realms authentication")
+                Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_TYPE, unsuccessfulRealm.type())
             )
         );
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ServiceAccountAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ServiceAccountAuthenticatorTests.java
@@ -74,8 +74,7 @@ public void testRecordingSuccessfulAuthenticationMetrics() {
             telemetryPlugin,
             SecurityMetricType.AUTHC_SERVICE_ACCOUNT,
             Map.ofEntries(
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal()),
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME, serviceAccountToken.getTokenName())
+                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal())
             )
         );
 
@@ -88,8 +87,7 @@ public void testRecordingSuccessfulAuthenticationMetrics() {
             SecurityMetricType.AUTHC_SERVICE_ACCOUNT,
             executionTimeInNanos,
             Map.ofEntries(
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal()),
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME, serviceAccountToken.getTokenName())
+                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal())
             )
         );
     }
@@ -130,9 +128,7 @@ public void testRecordingFailedAuthenticationMetrics() {
             telemetryPlugin,
             SecurityMetricType.AUTHC_SERVICE_ACCOUNT,
             Map.ofEntries(
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal()),
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME, serviceAccountToken.getTokenName()),
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_AUTHC_FAILURE_REASON, "failed to authenticate test service account")
+                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal())
             )
         );
 
@@ -145,8 +141,7 @@ public void testRecordingFailedAuthenticationMetrics() {
             SecurityMetricType.AUTHC_SERVICE_ACCOUNT,
             executionTimeInNanos,
             Map.ofEntries(
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal()),
-                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME, serviceAccountToken.getTokenName())
+                Map.entry(ServiceAccountAuthenticator.ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal())
             )
         );
     }

Original file line number	Diff line number	Diff line change
`@@ -69,10 +69,9 @@ public void recordSuccess(final C context) {`
`69`	`69`	`* Records a single failed execution.`
`70`	`70`	`*`
`71`	`71`	`* @param context The context object which is used to attach additional attributes to failed metric.`
`72`		`- * @param failureReason The optional failure reason which is stored as an attributed with recorded failure metric.`
`73`	`72`	`*/`
`74`		`- public void recordFailure(final C context, final String failureReason) {`
`75`		`- this.failuresCounter.incrementBy(1L, attributesBuilder.build(context, failureReason));`
	`73`	`+ public void recordFailure(final C context) {`
	`74`	`+ this.failuresCounter.incrementBy(1L, attributesBuilder.build(context));`
`76`	`75`	`}`
`77`	`76`
`78`	`77`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -345,8 +345,7 @@ public void testRecordingFailedAuthenticationMetric() {`
`345`	`345`	`SecurityMetricType.AUTHC_REALMS,`
`346`	`346`	`Map.ofEntries(`
`347`	`347`	`Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_NAME, unsuccessfulRealm.name()),`
`348`		`- Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_TYPE, unsuccessfulRealm.type()),`
`349`		`- Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_AUTHC_FAILURE_REASON, "unsuccessful realms authentication")`
	`348`	`+ Map.entry(RealmsAuthenticator.ATTRIBUTE_REALM_TYPE, unsuccessfulRealm.type())`
`350`	`349`	`)`
`351`	`350`	`);`
`352`	`351`