Improve RCS-related logging (#94818)

This is a first pass at extending logging for the new remote cluster
security model. I've focused on authentication and authorization and did
not dig into port and network related code. I propose we do this
iteratively.

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -1292,7 +1292,17 @@ static Map<String, Object> maybeRewriteMetadataForCrossClusterAccessAuthenticati
         assert metadata.containsKey(CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY)
             : "metadata must contain authentication object for cross cluster access authentication";
         final Authentication authenticationFromMetadata = (Authentication) metadata.get(CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY);
-        if (authenticationFromMetadata.getEffectiveSubject().getTransportVersion().after(olderVersion)) {
+        final TransportVersion effectiveSubjectVersion = authenticationFromMetadata.getEffectiveSubject().getTransportVersion();
+        if (effectiveSubjectVersion.after(olderVersion)) {
+            logger.trace(
+                () -> "Cross cluster access authentication has authentication field in metadata ["
+                    + authenticationFromMetadata
+                    + "] that may require a rewrite from version ["
+                    + effectiveSubjectVersion
+                    + "] to ["
+                    + olderVersion
+                    + "]"
+            );
             final Map<String, Object> rewrittenMetadata = new HashMap<>(metadata);
             rewrittenMetadata.put(
                 CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java

@@ -7,8 +7,11 @@
 
 package org.elasticsearch.xpack.core.security.authz.permission;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.lucene.util.automaton.Automaton;
 import org.elasticsearch.cluster.metadata.IndexAbstraction;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
@@ -34,6 +37,8 @@
  * provided role.
  */
 public final class LimitedRole implements Role {
+
+    private static final Logger logger = LogManager.getLogger(LimitedRole.class);
     private final Role baseRole;
     private final Role limitedByRole;
 
@@ -128,12 +133,26 @@ public RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluste
         final RoleDescriptorsIntersection baseIntersection = baseRole.getRoleDescriptorsIntersectionForRemoteCluster(remoteClusterAlias);
         // Intersecting with empty descriptors list should result in an empty intersection.
         if (baseIntersection.roleDescriptorsList().isEmpty()) {
+            logger.trace(
+                () -> "Base role ["
+                    + Strings.arrayToCommaDelimitedString(baseRole.names())
+                    + "] does not define any role descriptors for remote cluster alias ["
+                    + remoteClusterAlias
+                    + "]"
+            );
             return RoleDescriptorsIntersection.EMPTY;
         }
         final RoleDescriptorsIntersection limitedByIntersection = limitedByRole.getRoleDescriptorsIntersectionForRemoteCluster(
             remoteClusterAlias
         );
         if (limitedByIntersection.roleDescriptorsList().isEmpty()) {
+            logger.trace(
+                () -> "Limited-by role ["
+                    + Strings.arrayToCommaDelimitedString(limitedByRole.names())
+                    + "] does not define any role descriptors for remote cluster alias ["
+                    + remoteClusterAlias
+                    + "]"
+            );
             return RoleDescriptorsIntersection.EMPTY;
         }
         final List<Set<RoleDescriptor>> mergedIntersection = new ArrayList<>(

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/CrossClusterAccessAuthenticationService.java

@@ -104,7 +104,9 @@ public void authenticate(final String action, final TransportRequest request, fi
                         validate(crossClusterAccessSubjectInfo);
                         writeAuthToContext(
                             authcContext,
-                            authentication.toCrossClusterAccess(maybeRewriteForCrossClusterAccessUser(crossClusterAccessSubjectInfo)),
+                            authentication.toCrossClusterAccess(
+                                maybeRewriteForCrossClusterAccessUser(authcContext.getRequest(), crossClusterAccessSubjectInfo)
+                            ),
                             listener
                         );
                     } catch (Exception ex) {
@@ -120,12 +122,14 @@ public AuthenticationService getAuthenticationService() {
     }
 
     private CrossClusterAccessSubjectInfo maybeRewriteForCrossClusterAccessUser(
+        AuthenticationService.AuditableRequest request,
         CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo
     ) {
         final Authentication authentication = crossClusterAccessSubjectInfo.getAuthentication();
         final Subject effectiveSubject = authentication.getEffectiveSubject();
         final User user = effectiveSubject.getUser();
         if (CrossClusterAccessUser.is(user)) {
+            logger.debug("Request [{}] performed by internal user [{}]. Will use pre-defined role descriptors", request, user.principal());
             return CrossClusterAccessUser.subjectInfoWithRoleDescriptors(
                 effectiveSubject.getTransportVersion(),
                 effectiveSubject.getRealm().getNodeName()
@@ -185,7 +189,6 @@ private void validate(final CrossClusterAccessSubjectInfo crossClusterAccessSubj
                 }
             }
         }
-
     }
 
     private Version getMinNodeVersion() {
@@ -213,11 +216,14 @@ private void writeAuthToContext(
             authentication.writeToContext(context.getThreadContext());
             context.getRequest().authenticationSuccess(authentication);
         } catch (Exception e) {
-            logger.debug(() -> format("Failed to store authentication [%s] for request [%s]", authentication, context.getRequest()), e);
+            logger.debug(
+                () -> format("Failed to store authentication [%s] for cross cluster request [%s]", authentication, context.getRequest()),
+                e
+            );
             withRequestProcessingFailure(context, e, listener);
             return;
         }
-        logger.trace("Established authentication [{}] for request [{}]", authentication, context.getRequest());
+        logger.trace("Established authentication [{}] for cross cluster request [{}]", authentication, context.getRequest());
         listener.onResponse(authentication);
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RoleDescriptorStore.java

@@ -139,6 +139,11 @@ public void resolveCrossClusterAccessRoleReference(
     ) {
         final Set<RoleDescriptor> roleDescriptors = crossClusterAccessRoleReference.getRoleDescriptorsBytes().toRoleDescriptors();
         if (roleDescriptors.isEmpty()) {
+            logger.debug(
+                () -> "Cross cluster access role reference ["
+                    + crossClusterAccessRoleReference.id()
+                    + "] resolved to an empty role descriptor set."
+            );
             listener.onResponse(RolesRetrievalResult.EMPTY);
             return;
         }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterAccessServerTransportFilter.java

@@ -7,6 +7,8 @@
 
 package org.elasticsearch.xpack.security.transport;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.admin.cluster.remote.RemoteClusterNodesAction;
 import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsAction;
@@ -35,11 +37,15 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import static org.elasticsearch.core.Strings.format;
 import static org.elasticsearch.transport.RemoteClusterService.REMOTE_CLUSTER_HANDSHAKE_ACTION_NAME;
 import static org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo.CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY;
 import static org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY;
 
 final class CrossClusterAccessServerTransportFilter extends ServerTransportFilter {
+
+    private static final Logger logger = LogManager.getLogger(CrossClusterAccessServerTransportFilter.class);
+
     // pkg-private for testing
     static final Set<String> ALLOWED_TRANSPORT_HEADERS;
     static {
@@ -118,12 +124,17 @@ protected void authenticate(
         final ActionListener<Authentication> authenticationListener
     ) {
         if (false == Security.CONFIGURABLE_CROSS_CLUSTER_ACCESS_FEATURE.check(licenseState)) {
-            authenticationListener.onFailure(
+            onFailureWithDebugLog(
+                securityAction,
+                request,
+                authenticationListener,
                 LicenseUtils.newComplianceException(Security.CONFIGURABLE_CROSS_CLUSTER_ACCESS_FEATURE.getName())
             );
-
         } else if (false == CROSS_CLUSTER_ACCESS_ACTION_ALLOWLIST.contains(securityAction)) {
-            authenticationListener.onFailure(
+            onFailureWithDebugLog(
+                securityAction,
+                request,
+                authenticationListener,
                 new IllegalArgumentException(
                     "action ["
                         + securityAction
@@ -134,7 +145,7 @@ protected void authenticate(
             try {
                 validateHeaders();
             } catch (Exception ex) {
-                authenticationListener.onFailure(ex);
+                onFailureWithDebugLog(securityAction, request, authenticationListener, ex);
                 return;
             }
             crossClusterAccessAuthcService.authenticate(securityAction, request, authenticationListener);
@@ -167,4 +178,20 @@ private void ensureRequiredHeaderInContext(ThreadContext threadContext, String r
         }
     }
 
+    private static void onFailureWithDebugLog(
+        final String securityAction,
+        final TransportRequest request,
+        final ActionListener<Authentication> authenticationListener,
+        final Exception ex
+    ) {
+        logger.debug(
+            () -> format(
+                "Cross cluster access request [%s] for action [%s] rejected before authentication",
+                request.getClass(),
+                securityAction
+            ),
+            ex
+        );
+        authenticationListener.onFailure(ex);
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/RemoteClusterCredentialsResolver.java

@@ -42,5 +42,10 @@ public Optional<RemoteClusterCredentials> resolve(final String clusterAlias) {
         }
     }
 
-    record RemoteClusterCredentials(String clusterAlias, String credentials) {}
+    record RemoteClusterCredentials(String clusterAlias, String credentials) {
+        @Override
+        public String toString() {
+            return "RemoteClusterCredentials{clusterAlias='" + clusterAlias + "', credentials='::es_redacted::'}";
+        }
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java

@@ -57,6 +57,7 @@
 import java.util.Optional;
 import java.util.function.Function;
 
+import static org.elasticsearch.core.Strings.format;
 import static org.elasticsearch.transport.RemoteClusterPortSettings.REMOTE_CLUSTER_PROFILE;
 import static org.elasticsearch.transport.RemoteClusterPortSettings.REMOTE_CLUSTER_SERVER_ENABLED;
 import static org.elasticsearch.xpack.core.security.authc.Authentication.VERSION_CROSS_CLUSTER_ACCESS_REALM;
@@ -303,7 +304,7 @@ private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(
                 final String remoteClusterAlias = remoteClusterCredentials.clusterAlias();
 
                 if (connection.getTransportVersion().before(VERSION_CROSS_CLUSTER_ACCESS_REALM)) {
-                    throw new IllegalArgumentException(
+                    throw illegalArgumentExceptionWithDebugLog(
                         "Settings for remote cluster ["
                             + remoteClusterAlias
                             + "] indicate cross cluster access headers should be sent but target cluster version ["
@@ -312,18 +313,27 @@ private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(
                     );
                 }
 
-                logger.debug(
-                    "Sending [{}] request to [{}] with cross cluster access headers for [{}] action",
-                    request.getClass(),
-                    remoteClusterAlias,
-                    action
+                logger.trace(
+                    () -> format(
+                        "Sending [%s] request for [%s] action to [%s] with cross cluster access headers",
+                        request.getClass(),
+                        action,
+                        remoteClusterAlias
+                    )
                 );
 
                 final Authentication authentication = securityContext.getAuthentication();
                 assert authentication != null : "authentication must be present in security context";
 
                 final User user = authentication.getEffectiveSubject().getUser();
                 if (SystemUser.is(user)) {
+                    logger.trace(
+                        "Request [{}] for action [{}] towards [{}] initiated by the system user. "
+                            + "Sending request with internal cross cluster access user headers",
+                        request.getClass(),
+                        action,
+                        remoteClusterAlias
+                    );
                     final var crossClusterAccessHeaders = new CrossClusterAccessHeaders(
                         remoteClusterCredentials.credentials(),
                         CrossClusterAccessUser.subjectInfoWithEmptyRoleDescriptors(
@@ -333,14 +343,23 @@ private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(
                     );
                     sendWithCrossClusterAccessHeaders(crossClusterAccessHeaders, connection, action, request, options, handler);
                 } else if (User.isInternal(user)) {
-                    final String message = "internal user [" + user.principal() + "] should not be used for cross cluster requests";
+                    final String message = "Internal user [" + user.principal() + "] should not be used for cross cluster requests";
                     assert false : message;
-                    throw new IllegalArgumentException(message);
+                    throw illegalArgumentExceptionWithDebugLog(message);
                 } else {
                     authzService.getRoleDescriptorsIntersectionForRemoteCluster(
                         remoteClusterAlias,
                         authentication.getEffectiveSubject(),
                         ActionListener.wrap(roleDescriptorsIntersection -> {
+                            logger.trace(
+                                () -> format(
+                                    "Subject [%s] has role descriptors intersection [%s] for action [%s] towards remote cluster [%s]",
+                                    authentication.getEffectiveSubject(),
+                                    roleDescriptorsIntersection,
+                                    action,
+                                    remoteClusterAlias
+                                )
+                            );
                             if (roleDescriptorsIntersection.isEmpty()) {
                                 throw authzService.remoteActionDenied(authentication, action, remoteClusterAlias);
                             }
@@ -375,6 +394,11 @@ private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(
                     contextRestoreHandler.handleException(new SendRequestTransportException(connection.getNode(), action, e));
                 }
             }
+
+            private static IllegalArgumentException illegalArgumentExceptionWithDebugLog(String message) {
+                logger.debug(message);
+                return new IllegalArgumentException(message);
+            }
         };
     }
 
@@ -541,18 +565,17 @@ public String toString() {
         public void messageReceived(T request, TransportChannel channel, Task task) {
             try (ThreadContext.StoredContext ctx = threadContext.newStoredContextPreservingResponseHeaders()) {
                 String profile = channel.getProfileName();
-                ServerTransportFilter filter = profileFilters.get(profile);
-
-                if (filter == null) {
-                    if (TransportService.DIRECT_RESPONSE_PROFILE.equals(profile)) {
-                        // apply the default filter to local requests. We never know what the request is or who sent it...
-                        filter = profileFilters.get("default");
-                    } else {
-                        String msg = "transport profile [" + profile + "] is not associated with a transport filter";
-                        throw new IllegalStateException(msg);
-                    }
-                }
+                ServerTransportFilter filter = getServerTransportFilter(profile);
                 assert filter != null;
+                assert request != null;
+                logger.trace(
+                    () -> format(
+                        "Applying transport filter [%s] for transport profile [%s] on request [%s]",
+                        filter.getClass(),
+                        profile,
+                        request.getClass()
+                    )
+                );
 
                 final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task);
                 final ActionListener<Void> filterListener;
@@ -591,6 +614,20 @@ public void onResponse(Void unused) {
 
             }
         }
+
+        private ServerTransportFilter getServerTransportFilter(String profile) {
+            final ServerTransportFilter filter = profileFilters.get(profile);
+            if (filter != null) {
+                return filter;
+            }
+            if (TransportService.DIRECT_RESPONSE_PROFILE.equals(profile)) {
+                // apply the default filter to local requests. We never know what the request is or who sent it...
+                return profileFilters.get("default");
+            } else {
+                String msg = "transport profile [" + profile + "] is not associated with a transport filter";
+                throw new IllegalStateException(msg);
+            }
+        }
     }
 
     private abstract static class AbstractFilterListener implements ActionListener<Void> {