elastic · gmjehovich · Jul 24, 2025 · Jun 26, 2025 · Jun 26, 2025 · Jun 26, 2025
diff --git a/docs/changelog/130140.yaml b/docs/changelog/130140.yaml
@@ -0,0 +1,5 @@
+pr: 130140
+summary: Correct slow log user for RCS 2.0
+area: Authentication
+type: enhancement
+issues: []
diff --git a/...cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/CcsSlowLogRestIT.java b/...cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/CcsSlowLogRestIT.java
@@ -0,0 +1,358 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.remotecluster;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.RequestOptions;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.common.io.Streams;
+import org.elasticsearch.common.xcontent.XContentHelper;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.LogType;
+import org.elasticsearch.test.rest.ObjectPath;
+import org.elasticsearch.xcontent.XContentType;
+import org.junit.ClassRule;
+import org.junit.rules.RuleChain;
+import org.junit.rules.TestRule;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
+import static org.hamcrest.Matchers.notNullValue;
+
+/**
+ * Integration test for verifying that slow log authentication context contains
+ * the correct user information for cross-cluster access scenarios.
+ *
+ * This test verifies that when cross-cluster searches are performed, the slow logs
+ * on the fulfilling cluster contain the authentication context of the ORIGINAL user
+ * from the querying cluster, not just the cross-cluster access API key.
+ *
+ * The key verification is that slow logs should show:
+ * - user.name: The actual user from the querying cluster (e.g., "slow_log_test_user")
+ * - user.realm: The realm of the original user on the querying cluster (e.g., "default_native")
+ * - For run-as: Both authenticating and effective users from querying cluster
+ */
+public class CcsSlowLogRestIT extends AbstractRemoteClusterSecurityTestCase {
+
+    private static final AtomicReference<Map<String, Object>> API_KEY_MAP_REF = new AtomicReference<>();
+
+    static {
+        fulfillingCluster = ElasticsearchCluster.local()
+            .name("fulfilling-cluster")
+            .apply(commonClusterConfig)
+            .setting("remote_cluster_server.enabled", "true")
+            .setting("remote_cluster.port", "0")
+            .setting("xpack.security.remote_cluster_server.ssl.enabled", "true")
+            .setting("xpack.security.remote_cluster_server.ssl.key", "remote-cluster.key")
+            .setting("xpack.security.remote_cluster_server.ssl.certificate", "remote-cluster.crt")
+            .keystore("xpack.security.remote_cluster_server.ssl.secure_key_passphrase", "remote-cluster-password")
+            .build();
+
+        queryCluster = ElasticsearchCluster.local()
+            .name("query-cluster")
+            .apply(commonClusterConfig)
+            .setting("xpack.security.remote_cluster_client.ssl.enabled", "true")
+            .setting("xpack.security.remote_cluster_client.ssl.certificate_authorities", "remote-cluster-ca.crt")
+            .keystore("cluster.remote.my_remote_cluster.credentials", () -> {
+                if (API_KEY_MAP_REF.get() == null) {
+                    final Map<String, Object> apiKeyMap = createCrossClusterAccessApiKey("""
+                        {
+                            "search": [
+                              {
+                                "names": ["slow_log_*", "run_as_*"]
+                              }
+                            ]
+                        }""");
+                    API_KEY_MAP_REF.set(apiKeyMap);
+                }
+                return (String) API_KEY_MAP_REF.get().get("encoded");
+            })
+            .build();
+    }
+
+    @ClassRule
+    public static TestRule clusterRule = RuleChain.outerRule(fulfillingCluster).around(queryCluster);
+
+    public void testCrossClusterSlowLogAuthenticationContext() throws Exception {
+        configureRemoteCluster();
+
+        // Fulfilling cluster setup
+        {
+            // Create an index with slow log settings enabled
+            final Request createIndexRequest = new Request("PUT", "/slow_log_test");
+            createIndexRequest.setJsonEntity("""
+                {
+                  "settings": {
+                    "index.search.slowlog.threshold.query.trace": "0ms",
+                    "index.search.slowlog.include.user": true
+                  },
+                  "mappings": {
+                    "properties": {
+                      "content": { "type": "text" },
+                      "timestamp": { "type": "date" }
+                    }
+                  }
+                }""");
+            assertOK(performRequestAgainstFulfillingCluster(createIndexRequest));
+
+            // test documents
+            final Request bulkRequest = new Request("POST", "/_bulk?refresh=true");
+            bulkRequest.setJsonEntity("""
+                { "index": { "_index": "slow_log_test" } }
+                { "content": "test content for slow log", "timestamp": "2024-01-01T10:00:00Z" }
+                { "index": { "_index": "slow_log_test" } }
+                { "content": "another test document", "timestamp": "2024-01-01T11:00:00Z" }
+                """);
+            assertOK(performRequestAgainstFulfillingCluster(bulkRequest));
+        }
+
+        // Query cluster setup
+        {
+            // Create user role with remote cluster privileges
+            final var putRoleRequest = new Request("PUT", "/_security/role/slow_log_remote_role");
+            putRoleRequest.setJsonEntity("""
+                {
+                  "description": "Role for testing slow log auth context with cross-cluster access",
+                  "cluster": ["manage_own_api_key"],
+                  "remote_indices": [
+                    {
+                      "names": ["slow_log_*"],
+                      "privileges": ["read", "read_cross_cluster"],
+                      "clusters": ["my_remote_cluster"]
+                    }
+                  ]
+                }""");
+            assertOK(adminClient().performRequest(putRoleRequest));
+
+            // Create test user
+            final var putUserRequest = new Request("PUT", "/_security/user/slow_log_test_user");
+            putUserRequest.setJsonEntity("""
+                {
+                  "password": "x-pack-test-password",
+                  "roles": ["slow_log_remote_role"],
+                  "full_name": "Slow Log Test User"
+                }""");
+            assertOK(adminClient().performRequest(putUserRequest));
+
+            // Create API key for the test user
+            final var createApiKeyRequest = new Request("PUT", "/_security/api_key");
+            createApiKeyRequest.setJsonEntity("""
+                {
+                  "name": "slow_log_test_api_key",
+                  "role_descriptors": {
+                    "slow_log_access": {
+                      "remote_indices": [
+                        {
+                          "names": ["slow_log_*"],
+                          "privileges": ["read", "read_cross_cluster"],
+                          "clusters": ["my_remote_cluster"]
+                        }
+                      ]
+                    }
+                  }
+                }""");
+            final var createApiKeyResponse = performRequestWithSlowLogTestUser(createApiKeyRequest);
+            assertOK(createApiKeyResponse);
+
+            var createApiKeyResponsePath = ObjectPath.createFromResponse(createApiKeyResponse);
+            final String apiKeyEncoded = createApiKeyResponsePath.evaluate("encoded");
+            final String apiKeyId = createApiKeyResponsePath.evaluate("id");
+            assertThat(apiKeyEncoded, notNullValue());
+            assertThat(apiKeyId, notNullValue());
+
+            // Perform cross-cluster search that should generate slow log entries
+            final var searchRequest = new Request("GET", "/my_remote_cluster:slow_log_test/_search");
+            searchRequest.setJsonEntity("""
+                {
+                  "query": {
+                    "match": {
+                      "content": "test"
+                    }
+                  },
+                  "sort": [
+                    { "timestamp": { "order": "desc" } }
+                  ]
+                }""");
+
+            // Execute search with API key authentication
+            final Response searchResponse = performRequestWithApiKey(searchRequest, apiKeyEncoded);
+            assertOK(searchResponse);
+
+            // Verify slow log contains correct authentication context from the original user
+            // The key test: slow logs should show the original user from querying cluster
+            Map<String, Object> expectedAuthContext = Map.of(
+                "user.name",
+                "slow_log_test_user",          // Original user from querying cluster
+                "user.realm",
+                "_es_api_key",             // User's realm on querying cluster
+                "user.full_name",
+                "Slow Log Test User",
+                "auth.type",
+                "API_KEY",                     // Authentication type
+                "apikey.id",
+                apiKeyId,                      // API key from querying cluster
+                "apikey.name",
+                "slow_log_test_api_key"      // API key name
+            );
+
+            verifySlowLogAuthenticationContext(expectedAuthContext);
+        }
+    }
+
+    public void testRunAsUserInCrossClusterSlowLog() throws Exception {
+        configureRemoteCluster();
+
+        // Fulfilling cluster setup
+        {
+            // Create an index for run-as testing with slow log enabled
+            final Request createIndexRequest = new Request("PUT", "/run_as_test");
+            createIndexRequest.setJsonEntity("""
+                {
+                  "settings": {
+                    "index.search.slowlog.threshold.query.trace": "0ms",
+                    "index.search.slowlog.include.user": true
+                  },
+                  "mappings": {
+                    "properties": {
+                      "data": { "type": "text" }
+                    }
+                  }
+                }""");
+            assertOK(performRequestAgainstFulfillingCluster(createIndexRequest));
+
+            final Request indexRequest = new Request("POST", "/run_as_test/_doc?refresh=true");
+            indexRequest.setJsonEntity("""
+                { "data": "run as test data" }""");
+            assertOK(performRequestAgainstFulfillingCluster(indexRequest));
+        }
+
+        // Query cluster setup
+        {
+            // Create role that allows run-as and remote access
+            final var putRunAsRoleRequest = new Request("PUT", "/_security/role/run_as_remote_role");
+            putRunAsRoleRequest.setJsonEntity("""
+                {
+                  "description": "Role that can run as other users and access remote clusters",
+                  "cluster": ["manage_own_api_key"],
+                  "run_as": ["target_user"],
+                  "remote_indices": [
+                    {
+                      "names": ["run_as_*"],
+                      "privileges": ["read", "read_cross_cluster"],
+                      "clusters": ["my_remote_cluster"]
+                    }
+                  ]
+                }""");
+            assertOK(adminClient().performRequest(putRunAsRoleRequest));
+
+            // Create the run-as user
+            final var putRunAsUserRequest = new Request("PUT", "/_security/user/run_as_user");
+            putRunAsUserRequest.setJsonEntity("""
+                {
+                  "password": "x-pack-test-password",
+                  "roles": ["run_as_remote_role"],
+                  "full_name": "Run As User"
+                }""");
+            assertOK(adminClient().performRequest(putRunAsUserRequest));
+
+            // Create target user (who will be run as)
+            final var putTargetUserRequest = new Request("PUT", "/_security/user/target_user");
+            putTargetUserRequest.setJsonEntity("""
+                {
+                  "password": "x-pack-test-password",
+                  "roles": ["run_as_remote_role"],
+                  "full_name": "Target User"
+                }""");
+            assertOK(adminClient().performRequest(putTargetUserRequest));
+
+            // Perform search with run-as header
+            final var runAsSearchRequest = new Request("GET", "/my_remote_cluster:run_as_test/_search");
+            runAsSearchRequest.setJsonEntity("""
+                {
+                  "query": { "match_all": {} }
+                }""");
+
+            // Add both authentication and run-as headers
+            runAsSearchRequest.setOptions(
+                RequestOptions.DEFAULT.toBuilder()
+                    .addHeader("Authorization", basicAuthHeaderValue("run_as_user", PASS))
+                    .addHeader("es-security-runas-user", "target_user")
+            );
+
+            final Response runAsResponse = client().performRequest(runAsSearchRequest);
+            assertOK(runAsResponse);
+
+            // Verify slow log shows both authenticating and effective users from querying cluster
+            Map<String, Object> expectedRunAsAuthContext = Map.of(
+                "user.name",
+                "run_as_user",                    // Authenticating user from querying cluster
+                "user.realm",
+                "default_native",
+                "user.full_name",
+                "Run As User",
+                "user.effective.name",
+                "target_user",          // Effective user from querying cluster
+                "user.effective.realm",
+                "default_native",
+                "user.effective.full_name",
+                "Target User",
+                "auth.type",
+                "REALM"
+            );
+
+            verifySlowLogAuthenticationContext(expectedRunAsAuthContext);
+        }
+    }
+
+    /**
+     * Verifies that the slow logs on the fulfilling cluster contain the expected
+     * authentication context from the original user on the querying cluster.
+     */
+    private void verifySlowLogAuthenticationContext(Map<String, Object> expectedAuthContext) throws Exception {
+        assertBusy(() -> {
+            try (var slowLog = fulfillingCluster.getNodeLog(0, LogType.SEARCH_SLOW)) {
+                final List<String> lines = Streams.readAllLines(slowLog);
+                assert (!lines.isEmpty());
+
+                // Get the most recent slow log entry
+                String lastLogLine = lines.get(lines.size() - 1);
+                Map<String, Object> logEntry = XContentHelper.convertToMap(XContentType.JSON.xContent(), lastLogLine, true);
+
+                // Verify that the log entry contains the expected authentication context
+                for (Map.Entry<String, Object> expectedEntry : expectedAuthContext.entrySet()) {
+                    assertThat(
+                        "Slow log should contain " + expectedEntry.getKey() + " with value " + expectedEntry.getValue(),
+                        logEntry,
+                        hasKey(expectedEntry.getKey())
+                    );
+                    assertThat(
+                        "Slow log " + expectedEntry.getKey() + " should match expected value",
+                        logEntry.get(expectedEntry.getKey()),
+                        equalTo(expectedEntry.getValue())
+                    );
+                }
+            }
+        }, 10, TimeUnit.SECONDS);
+    }
+
+    private Response performRequestWithSlowLogTestUser(final Request request) throws IOException {
+        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", basicAuthHeaderValue("slow_log_test_user", PASS)));
+        return client().performRequest(request);
+    }
+
+    private Response performRequestWithApiKey(final Request request, final String encoded) throws IOException {
+        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", "ApiKey " + encoded));
+        return client().performRequest(request);
+    }
+}