[Fleet] add privileges to kibana_system to read integrations data
#132501
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s data (elastic#132400)" This reverts commit 364c70e.
…lastic#132400) * add privileges to kibana_system to read integrations data * fix tests
elasticsearchmachine
added
external-contributor
juliaElastic
added
>non-issue
:Core/Infra/Plugins
…lastic#132400) * add privileges to kibana_system to read integrations data * fix tests
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
|
Hi @juliaElastic - thanks for reverting and reopening this. We are on On-Week, this week - so expect a slightly slower review. But i'll raise this with the team anyway and let you know the outcome. |
juliaElastic
added
the
cloud-deploy
10 tasks
SiddharthMantri
requested changes
Aug 27, 2025
| ) | ||
| .build(), | ||
| // Read datasets for auto install content packages feature in Fleet | ||
| RoleDescriptor.IndicesPrivileges.builder().indices("logs-*", "metrics-*", "traces-*").privileges("read").build(), |
There was a problem hiding this comment.
Hi @juliaElastic - on the related Kibana PR here: https://github.com/elastic/kibana/pull/230369/files#diff-53e6fb38de62c0f181daadc9c2b0301b019268fc469e00d56eeca3a1a523aca1R299-R302 Are you requesting read privileges on logs- and metrics- for reading the dataStream dataset name?
If so, you only require view_index_metadata privileges: https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-get-data-stream.
There was a problem hiding this comment.
Hm we should be able to derive the dataset from the data stream name metrics-<dataset>-<namespace>.
Just to check, is there a way to only read the data_stream.dataset field in the data stream docs?
There was a problem hiding this comment.
Not sure tbh. Probably a question for ES team but from my initial understanding of the Datastreams API, you can't derive specific fields like dataset as that would require read privileges again.
There was a problem hiding this comment.
Checked locally and it should be good to use the data streams API, kibana_system already has the privileges:
I'll change the implementation in kibana and this pr can be closed. Thanks!
There was a problem hiding this comment.
Amazing, thank you for your patience and the changes.
juliaElastic
added a commit
to elastic/kibana
that referenced
this pull request
Aug 27, 2025
## Summary Closes elastic/ingest-dev#5872 Blocked by elastic/elasticsearch#132501 ## Release note Enable feature to auto install content packages where data is ingested for the matching datasets defined in the packages' discovery fields. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
kowalczyk-krzysztof
pushed a commit
to kowalczyk-krzysztof/kibana
that referenced
this pull request
Aug 30, 2025
…ic#232668) ## Summary Closes elastic/ingest-dev#5872 Blocked by elastic/elasticsearch#132501 ## Release note Enable feature to auto install content packages where data is ingested for the matching datasets defined in the packages' discovery fields. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Sep 2, 2025
…ic#232668) ## Summary Closes elastic/ingest-dev#5872 Blocked by elastic/elasticsearch#132501 ## Release note Enable feature to auto install content packages where data is ingested for the matching datasets defined in the packages' discovery fields. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
gradle check? yesRelates elastic/kibana#230369
Relates https://github.com/elastic/ingest-dev/issues/5685
kibana_systemneeds permission to read integrations data streamslogs-*,metrics-*,traces-*to support the auto install content packages feature.Fleet checks ingested
data_stream.datasetvalues to see if any content packages match that can be auto installed.Context: #132400 (review)
Readd the change to discuss with kibana-security.
PR ready after the revert is merged: #132499