Skip to content

Add new /_security/stats endpoint #134835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Sep 22, 2025
Merged

Add new /_security/stats endpoint #134835

merged 13 commits into from
Sep 22, 2025

Conversation

szybia
Copy link
Contributor

@szybia szybia commented Sep 16, 2025
edited
Loading

  • Add /_security/stats endpoint with skeleton body:
{
  "nodes": {
    "80M94RoASGqYcyRa7GI7gQ": {},
    "iQqwop8VTNS5YM_HLcgXEw": {},
    "g-90TEEpTpSZ7xFcLryUKA": {}
  }
}
  • Shouldn't be contentious, extensible to whatever we decide in future PRs in regards to body structure and extra sub-endpoints
  • First time adding an endpoint, so more in-depth review would be appreciated
  • Adding DLS cache stats should be as easy as: c97e7b5, which would yield:
{
  "nodes": {
    "UvzwIk80R0OO5WiEoiWFIQ": {
      "roles": {
        "file": {
          "remote_indices": 0,
          "dls": false,
          "size": 1,
          "fls": false,
          "remote_cluster": 0
        },
        "native": {
          "remote_indices": 0,
          "dls": false,
          "size": 0,
          "fls": false,
          "remote_cluster": 0
        },
        "dls": {
          "bit_set_cache": {
            "count": 0,
            "memory": "0b",
            "memory_in_bytes": 0,
            "hits": 0,
            "misses": 0,
            "evictions": 0,
            "hits_time_in_millis": 0,
            "misses_time_in_millis": 0
          }
        }
      }
    }
  }
}

elasticsearchmachine and others added 4 commits September 16, 2025 19:17
[CI] Update transport version definitions
c539883
@szybia
Merge branch 'main' into security-stats
2c41482
@szybia
add action as non-operator
c9828ab
@szybia
Merge remote-tracking branch 'upstream/main' into security-stats
d0e2b20 
* upstream/main:
  Add additional logging to make spotting stats issues easier (elastic#133972)
  [ESQL] Clean up ESQL enrich landing page (elastic#134820)
  ES|QL: Make kibana docs for Query settings more consistent (elastic#134881)
  Add file extension metadata to cache miss counter from SharedBlobCacheService (elastic#134374)
  Add IT for num_reduced_phases with batched query execution (elastic#134312)
  Remove `SizeValue` (elastic#134871)
@szybia szybia added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Sep 17, 2025
@elasticsearchmachine
Copy link
Collaborator

Hi @szybia, I've created a changelog YAML for you.

@szybia szybia requested review from joegallo and tvernum September 17, 2025 12:51
@szybia szybia marked this pull request as ready for review September 17, 2025 12:52
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Sep 17, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

tvernum
tvernum reviewed Sep 18, 2025
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At a high level this looks good to me.

I let @joegallo review the minute details like the NodeFeature, etc but the URI, response shape, etc all look right to me.

@joegallo
Copy link
Contributor

joegallo commented Sep 19, 2025
edited
Loading

I'm not sure how we typically handle a new transport actions and mixed mode clusters during upgrade. It seems like things wouldn't be happy if you have a pre-whatever cluster and one single node that's been upgraded to have this code, and then you hit the GET _security/stats endpoint on that one upgraded node. Perhaps the feature should be used to guard some of this? I'm not sure if we typically handle that scenario or not.

edit: a little birdie told me:

Yeah you need to make it a org.elasticsearch.features.NodeFeature and then use the Predicate<NodeFeature> clusterSupportsFeature parameter passed to ActionPlugin#getRestHandlers to determine whether the cluster supports the API or not.

It should also be a new transport protocol version, with something in GetSecurityStatsNodeRequest#writeTo which throws an UnsupportedOperationException if the transport version is too old.

szybia and others added 6 commits September 19, 2025 18:02
@szybia
joe comments
f1d7291
@szybia
Merge remote-tracking branch 'upstream/main' into security-stats
efa5c30 
* upstream/main:
  Turn NumericValues into functional interface (elastic#135068)
  Improve block loader for source only runtime fields of type keyword (elastic#135026)
  Mute org.elasticsearch.xpack.esql.qa.single_node.EsqlSpecIT test {csv-spec:stats.StdDeviationGroupedAllTypes} elastic#135103
  Mute org.elasticsearch.xpack.esql.qa.single_node.EsqlSpecIT test {csv-spec:stats.StdDeviationWithLongs} elastic#135102
  Mute org.elasticsearch.xpack.esql.qa.single_node.EsqlSpecIT test {csv-spec:inlinestats.StdDevFilter} elastic#135101
  Mute org.elasticsearch.xpack.esql.qa.single_node.EsqlSpecIT test {csv-spec:stats.StdDevFilter} elastic#135100
  Remove track_live_docs_in_memory_bytes feature flag (elastic#134900)
  Create SPI to allow prohibiting certain top-level mappings (elastic#132360)
  Only validate primary ids on release branches (elastic#135044)
  Added no-op support for project_routing query param to REST endpoints that will support cross-project search (elastic#134741)
  Fix race in FileSettingsServiceIT.testSettingsAppliedOnStart (elastic#134368)
[CI] Auto commit changes from spotless
b795b2a
@szybia
Merge remote-tracking branch 'upstream/main' into security-stats
a477c70 
* upstream/main: (50 commits)
  Disable utf-8 parsing optimization (elastic#135172)
  rest-api-spec: fix master_timeout typo (elastic#135167)
  Fixes countDistinctWithConditions in csv-spec tests (elastic#135097)
  Fix test failure by checking for feature flag (elastic#135174)
  Fix deadlock in ThreadPoolMergeScheduler when a failing merge closes the IndexWriter (elastic#134656)
  Make SecureString comparisons constant time (elastic#135053)
  Mute org.elasticsearch.test.rest.yaml.CcsCommonYamlTestSuiteIT test {p0=search/160_exists_query/Test exists query on mapped geo_point field with no doc values} elastic#135164
  ESQL: Replace function count tests (elastic#134951)
  Mute org.elasticsearch.compute.aggregation.SampleBooleanAggregatorFunctionTests testSimpleWithCranky elastic#135163
  Mute org.elasticsearch.xpack.test.rest.XPackRestIT test {p0=analytics/nested_top_metrics_sort/terms order by top metrics numeric not null integer values} elastic#135162
  Mute org.elasticsearch.xpack.test.rest.XPackRestIT test {p0=analytics/nested_top_metrics_sort/terms order by top metrics numeric not null double values} elastic#135159
  TSDB ingest performance: combine routing and tsdb hashing (elastic#132566)
  Mute org.elasticsearch.compute.aggregation.SampleBytesRefAggregatorFunctionTests testSimpleWithCranky elastic#135157
  Mute org.elasticsearch.xpack.logsdb.qa.BulkStoredSourceChallengeRestIT testHistogramAggregation elastic#135156
  Mute org.elasticsearch.xpack.logsdb.qa.StandardVersusStandardReindexedIntoLogsDbChallengeRestIT testHistogramAggregation elastic#135155
  Mute org.elasticsearch.xpack.logsdb.qa.LogsDbVersusLogsDbReindexedIntoStandardModeChallengeRestIT testHistogramAggregation elastic#135154
  Mute org.elasticsearch.xpack.logsdb.qa.BulkChallengeRestIT testHistogramAggregation elastic#135153
  Mute org.elasticsearch.discovery.ClusterDisruptionIT testAckedIndexing elastic#117024
  Mute org.elasticsearch.lucene.RollingUpgradeSearchableSnapshotIndexCompatibilityIT testMountSearchableSnapshot {p0=[9.2.0, 9.2.0, 9.2.0]} elastic#135151
  Mute org.elasticsearch.lucene.RollingUpgradeSearchableSnapshotIndexCompatibilityIT testSearchableSnapshotUpgrade {p0=[9.2.0, 9.2.0, 9.2.0]} elastic#135150
  ...
@szybia
use new transport version
45db05c
@joegallo
Merge branch 'main' into security-stats
09b9668
joegallo
joegallo approved these changes Sep 22, 2025
View reviewed changes
Copy link
Contributor

@joegallo joegallo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM -- I kicked off one more run of CI since the last successful one was from Friday, but once that lands I think we're good to go. 👍

@szybia szybia enabled auto-merge (squash) September 22, 2025 17:48
@szybia szybia merged commit 413a3d0 into elastic:main Sep 22, 2025
40 checks passed
@szybia szybia deleted the security-stats branch September 22, 2025 19:06
gmjehovich pushed a commit to gmjehovich/elasticsearch that referenced this pull request Sep 22, 2025
@szybia @gmjehovich
Add new /_security/stats endpoint (elastic#134835)
5d8dc11 
Empty multi-node skeleton response to start.
DonalEvans pushed a commit to DonalEvans/elasticsearch that referenced this pull request Sep 22, 2025
@szybia @DonalEvans
Add new /_security/stats endpoint (elastic#134835)
18faa34 
Empty multi-node skeleton response to start.
@joegallo joegallo mentioned this pull request Sep 25, 2025
Merged
@pquentin pquentin mentioned this pull request Oct 2, 2025
Merged
@shainaraskas shainaraskas mentioned this pull request Oct 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum left review comments

@joegallo joegallo joegallo approved these changes

Assignees

No one assigned

Labels

>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@szybia @elasticsearchmachine @joegallo @tvernum