Add user information to slowlog

[jfreden]

This PR adds two new index settings:

 index.search.slowlog.include.user: true | false
 index.indexing.slowlog.include.user: true | false

When enabled, depending on the authenticated user, the slow log will have a subset of these additional fields:

user.name - the user principal 
user.effective.name - the effective user (usually same as user.name but different for run-as)
user.realm - realm for authenticated user
user.effective.realm - realm for effective user (usually same as user.name but different for run-as)
auth.type - one of TOKEN | REALM | API_KEY
apikey.id - id of apikey if applicable
apikey.name - name of apikey if applicable

Example

{
  "@timestamp": "2024-02-21T12:42:37.255Z",
  "log.level": "WARN",
  "auth.type": "REALM",
  "elasticsearch.slowlog.id": null,
  "elasticsearch.slowlog.message": "[index6][0]",
  "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH",
  "elasticsearch.slowlog.source": "{\"query\":{\"match_all\":{\"boost\":1.0}}}",
  "elasticsearch.slowlog.stats": "[]",
  "elasticsearch.slowlog.took": "747.3micros",
  "elasticsearch.slowlog.took_millis": 0,
  "elasticsearch.slowlog.total_hits": "1 hits",
  "elasticsearch.slowlog.total_shards": 1,
  "user.effective.name": "elastic",
  "user.effective.realm": "reserved",
  "user.name": "elastic",
  "user.realm": "reserved",
  "ecs.version": "1.2.0",
  "service.name": "ES_ECS",
  "event.dataset": "elasticsearch.index_search_slowlog",
  "process.thread.name": "elasticsearch[runTask-0][search][T#5]",
  "log.logger": "index.search.slowlog.query",
  "elasticsearch.cluster.uuid": "Ui23kfF1SHKJwu_hI1iPPQ",
  "elasticsearch.node.id": "JK-jn-XpQ3OsDUsq5ZtfGg",
  "elasticsearch.node.name": "node-0",
  "elasticsearch.cluster.name": "distribution_run"
}

TODO

• TBD if this should be behind gold license or not.
• Add a PR or issue to update beats slow log integration to consume the new fields

[jfreden]

Do we want token name here for service accounts?

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Pinging @elastic/es-docs (Team:Docs)

[jakelandis]

looking good. a couple comments

[jakelandis]

Looking really good, just a couple last comments w.r.t. to exactly what we log.

[mark-vieira]

Do we need to create another QA project here? It seems we could just move SecuritySlowLogIT into one of the existing security QA projects.

[jfreden]

Thanks for reviewing!

I created a new one because the audit log had a separate one and it felt like they're a little similar. Thinking some more about it this could also fit in with the security-basic tests, since it's part of the basic licence. I'll move it there.

[pgomulka]

it looks great, but please change the example to not use guid
also left one question

[pgomulka]

Security is a Plugin subclass. Are you sure we want to depend on such a high level entry point class? When do we use this constructor?
We are 'providing' this instance via SPI, so the other noarg constructor is used , right?

[jfreden]

Thanks for calling this out.

The one arg constructor is called from here, where the parameter has to be a Plugin and the auth context that is needed is only available in the Security plugin.

To pass "SPI validation" the provided implementation needs to be declared in module-info and one of the validation requirements is that it has a no arg constructor, but we never actually call it. I'll add an IllegalStateException to the no arg constructor like we do here to make sure we don't end up in that state.

[jakelandis]

LGTM

Nice work ! This will really help with troubleshooting.
Also, don't forget to update (or log the request) to update the mappings for beats integration. (i think here)

[jfreden]

@elasticmachine update branch

[syepes]

+1