Skip to content

Add tracing support to ES Security #133363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

Add tracing support to ES Security #133363

wants to merge 9 commits into from

Conversation

ankit--sethi
Copy link
Contributor

@ankit--sethi ankit--sethi commented Aug 21, 2025
edited
Loading

Adding tracing support for the authenticate action by wrapping theauthenticator.authenticate call in AuthenticatorChain with startTrace/stopTrace actions.

In synchronous contexts, spans are stored in ThreadLocal objects under the hood and the currently active span look up (needed to end a span, append metadata, or spawn a child span) can be implicit. However, to track a span across threads as ActionListener pattern requires, we need to make Authenticator.Context implement Traceable which defines a random, unique spanId for each Authenticator.Context object, enabling us to uniquely locate the associated span regardless of which thread is currently executing.

Sample trace when running locally with ./gradlew :run --with-apm-server:

{
    "transaction":
    {
        "timestamp": 1755816123929000,
        "name": "authenticate", <------- supplied span name
        "id": "4a6498d97c2349d2",
        "trace_id": "c44f5269a1ff1e215bdd151d41df8b2d",
        "type": "unknown",
        "duration": 25.189,
        "outcome": "unknown",
        "context":
        {
            "service":
            {
                "framework":
                {
                    "name": "OpenTelemetry"
                },
                "version": null
            },
            "tags":
            {}
        },
        "span_count":
        {
            "dropped": 0,
            "started": 0
        },
        "dropped_spans_stats":
        [],
        "otel":
        {
            "span_kind": "INTERNAL",
            "attributes":
            {
                "es.cluster.name": "runCluster",
                "es.node.name": "runCluster-0",
                "security.authenticator.type": "cloud API key" <---- supplied custom field
            }
        },
        "sample_rate": 1.0,
        "sampled": true
    }
}

@ankit--sethi
Adding tracing support for the authenticate action by wrapping the …
d5a4582 
…`authenticator.authenticate` call in AuthenticatorChain with a startTrace/stopTrace action.

In synchronous contexts, spans are stored as ThreadLocals under the hood and the currently active span look up (needed to end a span, append metadata, or spawn a child span) can be implicit. However, to track a span across threads as ES requires, we need to make `Authenticator.Context` implement `Traceable` which defines a random, unique `spanId` for each Context object, enabling us to uniquely locate the associated span regardless of which thread is currently executing.
@ankit--sethi ankit--sethi added :Security/Security Security issues without another label >non-issue v9.2.0 labels Aug 21, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Aug 21, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum Awaiting requested review from tvernum

@slobodanadamovic slobodanadamovic Awaiting requested review from slobodanadamovic

Assignees

No one assigned

Labels

>non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ankit--sethi @elasticsearchmachine