Add role stats to _security/stats

szybia · szybia · commit ca9902571744 · 2025-09-23T13:46:37.000+01:00
diff --git a/server/src/main/resources/transport/definitions/referable/roles_security_stats.csv b/server/src/main/resources/transport/definitions/referable/roles_security_stats.csv
@@ -0,0 +1 @@
+9169000
diff --git a/server/src/main/resources/transport/upper_bounds/9.2.csv b/server/src/main/resources/transport/upper_bounds/9.2.csv
@@ -1 +1 @@
-security_stats_endpoint,9168000
+roles_security_stats,9169000
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/stats/GetSecurityStatsNodeResponse.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/stats/GetSecurityStatsNodeResponse.java
@@ -7,32 +7,74 @@
 
 package org.elasticsearch.xpack.core.security.action.stats;
 
+import org.elasticsearch.TransportVersion;
 import org.elasticsearch.action.support.nodes.BaseNodeResponse;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xcontent.ToXContentObject;
 import org.elasticsearch.xcontent.XContentBuilder;
 
 import java.io.IOException;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
 
 public class GetSecurityStatsNodeResponse extends BaseNodeResponse implements ToXContentObject {
 
+    private static final TransportVersion ROLES_SECURITY_STATS = TransportVersion.fromName("roles_security_stats");
+
+    @Nullable
+    private final Map<String, Object> rolesStoreStats;
+
     public GetSecurityStatsNodeResponse(final StreamInput in) throws IOException {
         super(in);
+        this.rolesStoreStats = in.getTransportVersion().supports(ROLES_SECURITY_STATS) ? in.readGenericMap() : null;
     }
 
-    public GetSecurityStatsNodeResponse(final DiscoveryNode node) {
+    public GetSecurityStatsNodeResponse(final DiscoveryNode node, @Nullable final Map<String, Object> rolesStoreStats) {
         super(node);
+        this.rolesStoreStats = rolesStoreStats;
     }
 
     @Override
     public void writeTo(final StreamOutput out) throws IOException {
         super.writeTo(out);
+        if (out.getTransportVersion().supports(ROLES_SECURITY_STATS)) {
+            out.writeGenericMap(rolesStoreStats);
+        }
     }
 
     @Override
     public XContentBuilder toXContent(final XContentBuilder builder, final Params params) throws IOException {
+        if (rolesStoreStats != null) {
+            builder.field("roles", rolesStoreStats);
+        }
         return builder;
     }
+
+    @Override
+    public boolean equals(Object o) {
+        return this == o
+            || (o instanceof GetSecurityStatsNodeResponse that
+                && Objects.equals(getNode(), that.getNode())
+                && Objects.equals(rolesStoreStats, that.rolesStoreStats));
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getNode(), rolesStoreStats);
+    }
+
+    // for testing
+    @Nullable
+    Map<String, Object> getRolesStoreStats() {
+        return rolesStoreStats == null ? null : Collections.unmodifiableMap(rolesStoreStats);
+    }
+
+    // for testing
+    DiscoveryNode getDiscoveryNode() {
+        return getNode();
+    }
 }
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/stats/GetSecurityStatsNodeResponseTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/stats/GetSecurityStatsNodeResponseTests.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.action.stats;
+
+import org.elasticsearch.cluster.node.DiscoveryNodeUtils;
+import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.test.AbstractWireSerializingTestCase;
+
+import java.io.IOException;
+import java.util.Map;
+
+public class GetSecurityStatsNodeResponseTests extends AbstractWireSerializingTestCase<GetSecurityStatsNodeResponse> {
+
+    @Override
+    protected Writeable.Reader<GetSecurityStatsNodeResponse> instanceReader() {
+        return GetSecurityStatsNodeResponse::new;
+    }
+
+    @Override
+    protected GetSecurityStatsNodeResponse createTestInstance() {
+        return new GetSecurityStatsNodeResponse(
+            DiscoveryNodeUtils.create(randomUUID()),
+            randomBoolean() ? null : Map.of("key", randomUUID())
+        );
+    }
+
+    @Override
+    protected GetSecurityStatsNodeResponse mutateInstance(GetSecurityStatsNodeResponse instance) throws IOException {
+        return switch (randomIntBetween(0, 1)) {
+            case 0 -> new GetSecurityStatsNodeResponse(DiscoveryNodeUtils.create(randomUUID()), instance.getRolesStoreStats());
+            case 1 -> new GetSecurityStatsNodeResponse(instance.getDiscoveryNode(), Map.of("key", randomUUID()));
+            default -> throw new IllegalStateException("Unexpected value");
+        };
+    }
+}
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/stats/TransportSecurityStatsAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/stats/TransportSecurityStatsAction.java
@@ -6,12 +6,14 @@
  */
 package org.elasticsearch.xpack.security.action.stats;
 
+import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.FailedNodeException;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.nodes.TransportNodesAction;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.injection.guice.Inject;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.threadpool.ThreadPool;
@@ -21,9 +23,12 @@
 import org.elasticsearch.xpack.core.security.action.stats.GetSecurityStatsNodeResponse;
 import org.elasticsearch.xpack.core.security.action.stats.GetSecurityStatsNodesRequest;
 import org.elasticsearch.xpack.core.security.action.stats.GetSecurityStatsNodesResponse;
+import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
 
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
+import java.util.concurrent.CompletableFuture;
 
 public class TransportSecurityStatsAction extends TransportNodesAction<
     GetSecurityStatsNodesRequest,
@@ -32,12 +37,16 @@ public class TransportSecurityStatsAction extends TransportNodesAction<
     GetSecurityStatsNodeResponse,
     Void> {
 
+    @Nullable
+    private final CompositeRolesStore rolesStore;
+
     @Inject
     public TransportSecurityStatsAction(
         ThreadPool threadPool,
         ClusterService clusterService,
         TransportService transportService,
-        ActionFilters actionFilters
+        ActionFilters actionFilters,
+        CompositeRolesStore rolesStore
     ) {
         super(
             GetSecurityStatsAction.INSTANCE.name(),
@@ -47,6 +56,7 @@ public TransportSecurityStatsAction(
             GetSecurityStatsNodeRequest::new,
             threadPool.executor(ThreadPool.Names.MANAGEMENT)
         );
+        this.rolesStore = rolesStore;
     }
 
     @Override
@@ -70,6 +80,12 @@ protected GetSecurityStatsNodeResponse newNodeResponse(final StreamInput in, fin
 
     @Override
     protected GetSecurityStatsNodeResponse nodeOperation(final GetSecurityStatsNodeRequest request, final Task task) {
-        return new GetSecurityStatsNodeResponse(clusterService.localNode());
+        final CompletableFuture<Map<String, Object>> rolesStatsFuture = new CompletableFuture<>();
+        if (rolesStore == null) {
+            rolesStatsFuture.complete(null);
+        } else {
+            rolesStore.usageStats(ActionListener.wrap(rolesStatsFuture::complete, rolesStatsFuture::completeExceptionally));
+        }
+        return new GetSecurityStatsNodeResponse(clusterService.localNode(), rolesStatsFuture.join());
     }
 }
diff --git a/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/stats/10_skeleton.yml b/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/stats/10_skeleton.yml
@@ -1,5 +1,5 @@
 ---
-"Security stats returns empty response":
+"Security stats returns a number of stats":
   - requires:
       cluster_features: [ "security_stats_endpoint" ]
       reason: Introduced in 9.2
@@ -9,4 +9,4 @@
 
   - set:
       nodes._arbitrary_key_: node_id
-  - length: { nodes.$node_id: 0 }
+  - length: { nodes.$node_id: 1 }
diff --git a/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/stats/20_roles_stats.yml b/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/stats/20_roles_stats.yml
@@ -0,0 +1,14 @@
+---
+"Security stats return roles stats":
+  - requires:
+      cluster_features: [ "security_stats_endpoint" ]
+      reason: Introduced in 9.2
+
+  - do:
+      security.get_stats: {}
+
+  - set:
+      nodes._arbitrary_key_: node_id
+  - match: { nodes.$node_id.roles.dls.bit_set_cache.hits: 0 }
+  - match: { nodes.$node_id.roles.file.remote_indices: 0 }
+  - match: { nodes.$node_id.roles.native.remote_indices: 0 }

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-security_stats_endpoint,9168000`
	`1`	`+roles_security_stats,9169000`