Read value of remote_user in Slow Query Logs of Query Frontend from a HTTP header

[wndhydrnt]

trafficstars

Is your proposal related to a problem?

Slow Query Logs of the Query Frontend component play an important part in identifying rogue queries. It is useful to know which user executed a query. The field remote_user is currently set by extracting the username from the Authorization header. Our setup does not use Basic Authentication. Instead, a proxy in front of Query Frontend handles the authentication. That proxy can pass the username along as a HTTP header. We would like to set the value of the HTTP header as the value of remote_user.

Describe the solution you'd like

• Query Frontend exposes a new flag, --query-frontend.slow-query-log-user-header (proposal, any other name will do).
• When --query-frontend.slow-query-log-user-header is set to, for example, X-Forwarded-User, Query Frontend sets the value of that header as the value of the field remote_user in the Slow Query Logs.

Describe alternatives you've considered

Somehow make the proxy "fake" the Basic Authentication header. That proved too difficult.

Additional context

The feature was introduced in #6153.

[wndhydrnt]

Would like to work on this. Do maintainers think that this feature is worth a PR?

[fpetkovski]

I think this can be useful. Don't we already log Grafana specific headers, like the dashboard ID?

[wndhydrnt]

Correct, the Slow Query Log already can handle headers like X-Dashboard-Uid. With this feature implemented, operators can utilize the send_user_header configuration option.