We want this in case we figure out that someone is intentionally issuing queries that are really really nasty.

Change 106430 had a related patch set uploaded by Manybubbles:
Add the user to Cirrus logs

https://gerrit.wikimedia.org/r/106430

Are there any privacy policy-related issues that need to be considered for this?

I note that the patch is just logging the user's username (or IP if anonymous), but the bug specifically says IP address.

(In reply to comment #3)

Are there any privacy policy-related issues that need to be considered for
this?

I note that the patch is just logging the user's username (or IP if
anonymous),
but the bug specifically says IP address.

I guess it'd be we can only keep the data for 3 months (same for other "sensitive" data such as IPs we keep around)

I think we're over-logging here...we should only log when bad/slow things happen, not on every single search.

Anyway, I left more detailed comments on the change.

Change 106430 merged by jenkins-bot:
Split request logs out from debug logs

https://gerrit.wikimedia.org/r/106430

So this gets properly immortalized: we're only capturing the requester information on requests that take an egregious amount of time.