From 2033b172a3812e690b7eb13422bb1d41e61b24e3 Mon Sep 17 00:00:00 2001
From: Julia Bardi <julia.bardi@elastic.co>
Date: Mon, 4 Aug 2025 16:38:47 +0200
Subject: [PATCH 1/2] add privileges to kibana_system to read integrations data

---
 .../authz/store/KibanaOwnedReservedRoleDescriptors.java         | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
index 96287843e6943..eb0c77deb86c2 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -328,6 +328,8 @@ static RoleDescriptor kibanaSystem(String name) {
                         "indices:admin/data_stream/lifecycle/put"
                     )
                     .build(),
+                // Read datasets for auto install content packages feature in Fleet
+                RoleDescriptor.IndicesPrivileges.builder().indices("logs-*", "metrics-*", "traces-*").privileges("read").build(),
                 // Endpoint specific action responses. Kibana reads and writes (for third party
                 // agents) to the index to display action responses to the user.
                 // `create_index`: is necessary in order to ensure that the DOT datastream index is

From 12b0924a8bd9961aedbe1052075c6b4506c54090 Mon Sep 17 00:00:00 2001
From: Julia Bardi <julia.bardi@elastic.co>
Date: Mon, 4 Aug 2025 17:27:50 +0200
Subject: [PATCH 2/2] fix tests

---
 .../core/security/authz/store/ReservedRolesStoreTests.java   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 21e3d3ad0cd6c..04e0355f7a773 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1397,7 +1397,10 @@ public void testKibanaSystemRole() {
                 || indexName.startsWith(".logs-endpoint.actions-")
                 || indexName.startsWith(".logs-endpoint.action.responses-")
                 || indexName.startsWith(".logs-endpoint.heartbeat-")
-                || indexName.startsWith(".logs-osquery_manager.actions-");
+                || indexName.startsWith(".logs-osquery_manager.actions-")
+                || indexName.startsWith("logs-")
+                || indexName.startsWith("metrics-")
+                || indexName.startsWith("traces-");
             assertThat(
                 kibanaRole.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(indexAbstraction),
                 is(isAlsoReadIndex)