Add user name to slow log; some refactoring

Author: luigidellaquila

…arch/xpack/esql/action/MockAppender.java …asticsearch/xpack/esql/MockAppender.javax-pack/plugin/esql/src/internalClusterTest/java/org/elasticsearch/xpack/esql/action/MockAppender.java renamed to x-pack/plugin/esql/qa/testFixtures/src/main/java/org/elasticsearch/xpack/esql/MockAppender.java x-pack/plugin/esql/src/internalClusterTest/java/org/elasticsearch/xpack/esql/action/MockAppender.java renamed to x-pack/plugin/esql/qa/testFixtures/src/main/java/org/elasticsearch/xpack/esql/MockAppender.java

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-package org.elasticsearch.xpack.esql.action;
+package org.elasticsearch.xpack.esql;
 
 import org.apache.logging.log4j.core.LogEvent;
 import org.apache.logging.log4j.core.appender.AbstractAppender;
@@ -24,11 +24,11 @@ public void append(LogEvent event) {
         lastEvent = event.toImmutable();
     }
 
-    Message lastMessage() {
+    public Message lastMessage() {
         return lastEvent.getMessage();
     }
 
-    LogEvent lastEvent() {
+    public LogEvent lastEvent() {
         return lastEvent;
     }
 

x-pack/plugin/esql/src/internalClusterTest/java/org/elasticsearch/xpack/esql/action/EsqlSlowLogIT.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.TimeValue;
+import org.elasticsearch.xpack.esql.MockAppender;
 import org.elasticsearch.xpack.esql.VerificationException;
 import org.elasticsearch.xpack.esql.plugin.EsqlPlugin;
 import org.elasticsearch.xpack.esql.slowlog.EsqlSlowLog;
@@ -94,12 +95,20 @@ public void testSetLevel() throws Exception {
             testAllLevels(
                 levels,
                 coordinator,
-                randomIntBetween(0, 10_000),
+                randomIntBetween(0, 500),
                 "FROM index-* | EVAL ip = to_ip(host) | STATS s = COUNT(*) by ip | KEEP ip | LIMIT 100",
                 null,
                 null
             );
         }
+        testAllLevels(
+            levels,
+            coordinator,
+            600_000,
+            "FROM index-* | EVAL ip = to_ip(host) | STATS s = COUNT(*) by ip | KEEP ip | LIMIT 100",
+            null,
+            null
+        );
 
         testAllLevels(
             levels,
@@ -113,12 +122,20 @@ public void testSetLevel() throws Exception {
             testAllLevels(
                 levels,
                 coordinator,
-                randomIntBetween(0, 10_000),
+                randomIntBetween(0, 500),
                 "FROM index-* | EVAL a = count(*) | LIMIT 100",
                 "aggregate function [count(*)] not allowed outside STATS command",
                 VerificationException.class.getName()
             );
         }
+        testAllLevels(
+            levels,
+            coordinator,
+            600_000,
+            "FROM index-* | EVAL a = count(*) | LIMIT 100",
+            "aggregate function [count(*)] not allowed outside STATS command",
+            VerificationException.class.getName()
+        );
     }
 
     private static void testAllLevels(
@@ -163,7 +180,6 @@ private static void testAllLevels(
                         long planningTookMillisExpected = planningTook / 1_000_000;
                         long planningTookMillis = Long.valueOf(msg.get("elasticsearch.slowlog.planning.took_millis"));
                         assertThat(planningTook, greaterThanOrEqualTo(0L));
-                        assertThat(planningTookMillis, greaterThanOrEqualTo(timeoutMillis));
                         assertThat(planningTookMillis, is(planningTookMillisExpected));
                         assertThat(took, greaterThan(planningTook));
                     }

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plugin/EsqlPlugin.java

@@ -51,6 +51,7 @@
 import org.elasticsearch.xpack.core.XPackPlugin;
 import org.elasticsearch.xpack.core.action.XPackInfoFeatureAction;
 import org.elasticsearch.xpack.core.action.XPackUsageFeatureAction;
+import org.elasticsearch.xpack.core.security.SecurityContext;
 import org.elasticsearch.xpack.esql.EsqlInfoTransportAction;
 import org.elasticsearch.xpack.esql.EsqlUsageTransportAction;
 import org.elasticsearch.xpack.esql.action.EsqlAsyncGetResultAction;
@@ -147,6 +148,13 @@ public class EsqlPlugin extends Plugin implements ActionPlugin {
         Setting.Property.Dynamic
     );
 
+    public static final Setting<Boolean> ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING = Setting.boolSetting(
+        "esql.slowlog.include.user",
+        false,
+        Setting.Property.NodeScope,
+        Setting.Property.Dynamic
+    );
+
     @Override
     public Collection<?> createComponents(Plugin.PluginServices services) {
         CircuitBreaker circuitBreaker = services.indicesService().getBigArrays().breakerService().getBreaker("request");
@@ -164,7 +172,10 @@ public Collection<?> createComponents(Plugin.PluginServices services) {
                 new IndexResolver(services.client()),
                 services.telemetryProvider().getMeterRegistry(),
                 getLicenseState(),
-                new EsqlSlowLog(services.clusterService().getClusterSettings())
+                new EsqlSlowLog(
+                    services.clusterService().getClusterSettings(),
+                    new SecurityContext(Settings.EMPTY, services.threadPool().getThreadContext())
+                )
             ),
             new ExchangeService(
                 services.clusterService().getSettings(),
@@ -208,7 +219,8 @@ public List<Setting<?>> getSettings() {
             ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING,
             ESQL_SLOWLOG_THRESHOLD_QUERY_DEBUG_SETTING,
             ESQL_SLOWLOG_THRESHOLD_QUERY_INFO_SETTING,
-            ESQL_SLOWLOG_THRESHOLD_QUERY_WARN_SETTING
+            ESQL_SLOWLOG_THRESHOLD_QUERY_WARN_SETTING,
+            ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING
         );
     }
 

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/slowlog/EsqlSlowLog.java

@@ -13,12 +13,15 @@
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.xcontent.json.JsonStringEncoder;
+import org.elasticsearch.xpack.core.security.SecurityContext;
+import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.esql.session.Result;
 
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 
+import static org.elasticsearch.xpack.esql.plugin.EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING;
 import static org.elasticsearch.xpack.esql.plugin.EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_DEBUG_SETTING;
 import static org.elasticsearch.xpack.esql.plugin.EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_INFO_SETTING;
 import static org.elasticsearch.xpack.esql.plugin.EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING;
@@ -31,18 +34,28 @@ public final class EsqlSlowLog {
     public static final String SLOWLOG_PREFIX = "esql.slowlog";
 
     private static final Logger queryLogger = LogManager.getLogger(SLOWLOG_PREFIX + ".query");
+    private final SecurityContext security;
 
     private volatile long queryWarnThreshold;
     private volatile long queryInfoThreshold;
     private volatile long queryDebugThreshold;
     private volatile long queryTraceThreshold;
 
-    public EsqlSlowLog(ClusterSettings settings) {
+    private volatile boolean includeUser;
+
+    public EsqlSlowLog(ClusterSettings settings, SecurityContext security) {
         settings.initializeAndWatch(ESQL_SLOWLOG_THRESHOLD_QUERY_WARN_SETTING, this::setQueryWarnThreshold);
         settings.initializeAndWatch(ESQL_SLOWLOG_THRESHOLD_QUERY_INFO_SETTING, this::setQueryInfoThreshold);
         settings.initializeAndWatch(ESQL_SLOWLOG_THRESHOLD_QUERY_DEBUG_SETTING, this::setQueryDebugThreshold);
         settings.initializeAndWatch(ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING, this::setQueryTraceThreshold);
+        settings.initializeAndWatch(ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING, this::setIncludeUser);
         this.clusterSettings = settings;
+
+        this.security = security;
+    }
+
+    public EsqlSlowLog(ClusterSettings settings) {
+        this(settings, null);
     }
 
     public void onQueryPhase(Result esqlResult, String query) {
@@ -51,28 +64,36 @@ public void onQueryPhase(Result esqlResult, String query) {
         }
         long tookInNanos = esqlResult.executionInfo().overallTook().nanos();
         if (queryWarnThreshold >= 0 && tookInNanos > queryWarnThreshold) {
-            queryLogger.warn(Message.of(esqlResult, query));
+            queryLogger.warn(Message.of(esqlResult, query, user()));
         } else if (queryInfoThreshold >= 0 && tookInNanos > queryInfoThreshold) {
-            queryLogger.info(Message.of(esqlResult, query));
+            queryLogger.info(Message.of(esqlResult, query, user()));
 
         } else if (queryDebugThreshold >= 0 && tookInNanos > queryDebugThreshold) {
-            queryLogger.debug(Message.of(esqlResult, query));
+            queryLogger.debug(Message.of(esqlResult, query, user()));
 
         } else if (queryTraceThreshold >= 0 && tookInNanos > queryTraceThreshold) {
-            queryLogger.trace(Message.of(esqlResult, query));
+            queryLogger.trace(Message.of(esqlResult, query, user()));
 
         }
     }
 
+    private User user() {
+        User user = null;
+        if (includeUser && security != null) {
+            user = security.getUser();
+        }
+        return user;
+    }
+
     public void onQueryFailure(String query, Exception ex, long tookInNanos) {
         if (queryWarnThreshold >= 0 && tookInNanos > queryWarnThreshold) {
-            queryLogger.warn(Message.of(query, tookInNanos, ex));
+            queryLogger.warn(Message.of(query, tookInNanos, ex, user()));
         } else if (queryInfoThreshold >= 0 && tookInNanos > queryInfoThreshold) {
-            queryLogger.info(Message.of(query, tookInNanos, ex));
+            queryLogger.info(Message.of(query, tookInNanos, ex, user()));
         } else if (queryDebugThreshold >= 0 && tookInNanos > queryDebugThreshold) {
-            queryLogger.debug(Message.of(query, tookInNanos, ex));
+            queryLogger.debug(Message.of(query, tookInNanos, ex, user()));
         } else if (queryTraceThreshold >= 0 && tookInNanos > queryTraceThreshold) {
-            queryLogger.trace(Message.of(query, tookInNanos, ex));
+            queryLogger.trace(Message.of(query, tookInNanos, ex, user()));
         }
     }
 
@@ -92,30 +113,37 @@ public void setQueryTraceThreshold(TimeValue queryTraceThreshold) {
         this.queryTraceThreshold = queryTraceThreshold.nanos();
     }
 
+    public void setIncludeUser(boolean includeUser) {
+        this.includeUser = includeUser;
+    }
+
     static final class Message {
 
         private static String escapeJson(String text) {
             byte[] sourceEscaped = JsonStringEncoder.getInstance().quoteAsUTF8(text);
             return new String(sourceEscaped, StandardCharsets.UTF_8);
         }
 
-        public static ESLogMessage of(Result esqlResult, String query) {
-            Map<String, Object> jsonFields = prepareMap(esqlResult, query, true);
+        public static ESLogMessage of(Result esqlResult, String query, User user) {
+            Map<String, Object> jsonFields = prepareMap(esqlResult, query, true, user);
 
             return new ESLogMessage().withFields(jsonFields);
         }
 
-        public static ESLogMessage of(String query, long took, Exception exception) {
-            Map<String, Object> jsonFields = prepareMap(null, query, false);
+        public static ESLogMessage of(String query, long took, Exception exception, User user) {
+            Map<String, Object> jsonFields = prepareMap(null, query, false, user);
             jsonFields.put("elasticsearch.slowlog.error.message", exception.getMessage() == null ? "" : exception.getMessage());
             jsonFields.put("elasticsearch.slowlog.error.type", exception.getClass().getName());
             jsonFields.put("elasticsearch.slowlog.took", took);
             jsonFields.put("elasticsearch.slowlog.took_millis", took / 1_000_000);
             return new ESLogMessage().withFields(jsonFields);
         }
 
-        private static Map<String, Object> prepareMap(Result esqlResult, String query, boolean success) {
+        private static Map<String, Object> prepareMap(Result esqlResult, String query, boolean success, User user) {
             Map<String, Object> messageFields = new HashMap<>();
+            if (user != null) {
+                messageFields.put("user.name", user.principal());
+            }
             if (esqlResult != null) {
                 messageFields.put("elasticsearch.slowlog.took", esqlResult.executionInfo().overallTook().nanos());
                 messageFields.put("elasticsearch.slowlog.took_millis", esqlResult.executionInfo().overallTook().millis());

x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/slowlog/EsqlSlowLogTests.java

@@ -17,6 +17,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.esql.MockAppender;
 import org.elasticsearch.xpack.esql.action.EsqlExecutionInfo;
 import org.elasticsearch.xpack.esql.plugin.EsqlPlugin;
 import org.elasticsearch.xpack.esql.session.Result;
@@ -41,14 +42,16 @@ public class EsqlSlowLogTests extends ESTestCase {
             .put(EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_INFO_SETTING.getKey(), "30ms")
             .put(EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_DEBUG_SETTING.getKey(), "20ms")
             .put(EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING.getKey(), "10ms")
+            .put(EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING.getKey(), true)
 
             .build(),
         new HashSet<>(
             Arrays.asList(
                 EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_WARN_SETTING,
                 EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_INFO_SETTING,
                 EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_DEBUG_SETTING,
-                EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING
+                EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING,
+                EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING
             )
         )
     );

x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/slowlog/MockAppender.java

@@ -92,7 +92,8 @@ EsqlSlowLog mockSlowLog() {
                     EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_WARN_SETTING,
                     EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_INFO_SETTING,
                     EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_DEBUG_SETTING,
-                    EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING
+                    EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_QUERY_TRACE_SETTING,
+                    EsqlPlugin.ESQL_SLOWLOG_THRESHOLD_INCLUDE_USER_SETTING
                 )
             )
         );