[Fleet] add privileges to kibana_system to read integrations data #132400
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| Pinging @elastic/es-core-infra (Team:Core/Infra) |
elasticsearchmachine added Team:Core/Infra 10 tasks
juliaElastic added a commit to elastic/kibana that referenced this pull request Aug 5, 2025
## Summary Follow up for elastic/ingest-dev#5685 Fix fleet config to change auto install content packages task interval: ``` # enable feature flag xpack.fleet.enableExperimental: ['enableAutoInstallContentPackages'] # change interval xpack.fleet.autoInstallContentPackages.taskInterval: 15s ``` Also use prerelease flag from settings to be able to test auto install prerelease content package like system_otel: <img width="875" height="1006" alt="image" src="https://github.com/user-attachments/assets/7d22bbc8-5b32-4af5-97ec-fb4dca644f42" /> Added `discovery.datasets` field to `system_otel` package to test with, but for some reason the datasets values are not showing up in the EPR response ([PR](elastic/integrations#14770)) Tested with the package built locally and starting a local registry: [system_otel-0.2.0.zip](https://github.com/user-attachments/files/21574295/system_otel-0.2.0.zip) Update: this now works, had to pull the latest registry docker image ``` # start local registry docker run -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/package_registry_config.yml:/package-registry/config.yml -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/test_packages:/packages/test-packages -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/package_verification/packages/zips:/packages/signed-test-packages -p 12345:8080 docker.elastic.co/package-registry/distribution:lite # use local registry in kibana config xpack.fleet.registryUrl: http://localhost:12345 http://localhost:12345/search?prerelease=true&type=content&spec.min=2.3&spec.max=3.4&discovery=datasets:hostmetricsreceiver.otel [ { name: "system_otel", title: "System OpenTelemetry Assets", version: "0.2.0", release: "beta", description: "Dashboards for the OpenTelemetry data collected with the `hostmetrics` receiver.", type: "content", ... discovery: { datasets: [ { name: "hostmetricsreceiver.otel" } ] } } ] ``` Generated some otel data by following the instructions in OpenTelemetry integration in a multipass VM: ``` arch=$(if ([[ $(arch) == "arm" || $(arch) == "aarch64" ]]); then echo "arm64"; else echo $(arch); fi) curl --output elastic-distro-9.1.0-linux-$arch.tar.gz --url https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.1.0-linux-$arch.tar.gz --proto '=https' --tlsv1.2 -fL && mkdir -p elastic-distro-9.1.0-linux-$arch && tar -xvf elastic-distro-9.1.0-linux-$arch.tar.gz -C "elastic-distro-9.1.0-linux-$arch" --strip-components=1 && cd elastic-distro-9.1.0-linux-$arch rm ./otel.yml && cp ./otel_samples/platformlogs_hostmetrics.yml ./otel.yml && mkdir -p ./data/otelcol && sed -i 's#\${env:STORAGE_DIR}#'"$PWD"/data/otelcol'#g' ./otel.yml && sed -i 's#\${env:ELASTIC_ENDPOINT}#http://192.168.64.1:9200#g' ./otel.yml && sed -i 's/\${env:ELASTIC_API_KEY}/NEdfc2RKZ0JobV8xTXQxMjk0cUY6XzliVWIzSDRYZVBFSU9Ea05FTFdJdw==/g' ./otel.yml ``` And updating pipelines: ``` vim otel.yml service: extensions: [file_storage] pipelines: metrics/hostmetrics: receivers: [hostmetrics/system] processors: [resourcedetection, attributes/dataset, resource/process] exporters: [elasticsearch/otel] # start collector sudo ./otelcol --config otel.yml ``` For some reason the ES|QL query in the task doesn't return the `hostmetricsreceiver.otel` dataset, but is returned when running the same query in dev tools. Might be a permission issue. ``` FROM logs-*,metrics-*,traces-* | KEEP @timestamp, data_stream.dataset | WHERE @timestamp > NOW() - 15 minutes | STATS COUNT(*) BY data_stream.dataset { "took": 6, "is_partial": false, "documents_found": 5752, "values_loaded": 5752, "columns": [ { "name": "COUNT(*)", "type": "long" }, { "name": "data_stream.dataset", "type": "keyword" } ], "values": [ [ 115, "elastic_agent" ], [ 27, "elastic_agent.filebeat" ], [ 3, "elastic_agent.status_change" ], [ 1696, "elastic_agent.metricbeat" ], [ 3336, "elastic_agent.fleet_server" ], [ 271, "fleet_server.agent_versions" ], [ 271, "fleet_server.agent_status" ] ] } ``` <img width="2511" height="1101" alt="image" src="https://github.com/user-attachments/assets/03721494-6ad0-4d69-8c79-a23d82ac1c84" /> Update: Yes, it seems `kibana_system` didn't have privileges to read the integration data streams. Tested locally by adding read access, and now the query returns the expected results and installs the otel content package. I'll create a pr to the elasticsearch repo. Here it is: elastic/elasticsearch#132400 ``` # checkout ES pr, start es from source yarn es source --license trial -E xpack.security.authc.api_key.enabled=true -E xpack.security.authc.token.enabled=true --source-path=/Users/juliabardi/elasticsearch -E path.data=/tmp/es-data -E xpack.ml.enabled=false -E http.host=0.0.0.0 # kibana logs that run the task [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet.fleet:auto-install-content-packages-task:1.0.1] [AutoInstallContentPackagesTask] Found datasets with data: hostmetricsreceiver.otel, elastic_agent, fleet_server.agent_status, system.process.summary, system.socket_summary, elastic_agent.filebeat_input, elastic_agent.metricbeat, elastic_agent.filebeat, system.memory, elastic_agent.elastic_agent, generic.otel, elastic_agent.status_change, hostmetricsreceiver, elastic_agent.fleet_server, system.uptime, system.cpu, system.process, system.filesystem, system.fsstat, system.load, fleet_server.agent_versions, system.network, system.diskio [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet.fleet:auto-install-content-packages-task:1.0.1] [AutoInstallContentPackagesTask] Content packages to install: system_otel@0.2.0 [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet] Kicking off install of system_otel-0.2.0 from registry ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
szybia added a commit to szybia/elasticsearch that referenced this pull request Aug 5, 2025
…cking * upstream/main: (26 commits) [Fleet] add privileges to `kibana_system` to read integrations data (elastic#132400) Add `TestEntitlementsRule` with support for dynamic entitled node paths for testing (elastic#132077) Reduce logging frequency for GCS per project clients (elastic#132429) Skip update/100_synthetic_source tests in yamlRestCompatTests (elastic#132296) Correct exception for missing nested path (elastic#132408) Fixing esql release tests elastic#132369 (elastic#132406) Adjust date docvalue formatting to return 4xx instead of 5xx (elastic#132414) Handle nested fields with the termvectors REST API in artificial docs (elastic#92568) Only collect bulk scored vectors when exceeding min competitive (elastic#132293) Fix release tests diskbbq update (elastic#132405) ESQL: Fix skipping of generative tests (elastic#132390) Short circuit failure handling in OIDC flow (elastic#130618) Small optimization in OptimizedScalarQuantizer by using mul instead of div (elastic#132397) Aggs: Add validation to Bucket script pipeline agg (elastic#132320) ESQL: Multiple parameters in ungrouped aggs (elastic#132375) ESQL: Explain test operators (elastic#132374) EQL: Deal with internally created IN in a different way for EQL (elastic#132167) Speed up hierarchical k-means by computing distances in bulk (elastic#132384) Reduce the number of fields per document (elastic#132322) Assert current thread in ESQL (elastic#132324) ...
delanni pushed a commit to delanni/kibana that referenced this pull request Aug 5, 2025
## Summary Follow up for elastic/ingest-dev#5685 Fix fleet config to change auto install content packages task interval: ``` # enable feature flag xpack.fleet.enableExperimental: ['enableAutoInstallContentPackages'] # change interval xpack.fleet.autoInstallContentPackages.taskInterval: 15s ``` Also use prerelease flag from settings to be able to test auto install prerelease content package like system_otel: <img width="875" height="1006" alt="image" src="https://github.com/user-attachments/assets/7d22bbc8-5b32-4af5-97ec-fb4dca644f42" /> Added `discovery.datasets` field to `system_otel` package to test with, but for some reason the datasets values are not showing up in the EPR response ([PR](elastic/integrations#14770)) Tested with the package built locally and starting a local registry: [system_otel-0.2.0.zip](https://github.com/user-attachments/files/21574295/system_otel-0.2.0.zip) Update: this now works, had to pull the latest registry docker image ``` # start local registry docker run -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/package_registry_config.yml:/package-registry/config.yml -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/test_packages:/packages/test-packages -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/package_verification/packages/zips:/packages/signed-test-packages -p 12345:8080 docker.elastic.co/package-registry/distribution:lite # use local registry in kibana config xpack.fleet.registryUrl: http://localhost:12345 http://localhost:12345/search?prerelease=true&type=content&spec.min=2.3&spec.max=3.4&discovery=datasets:hostmetricsreceiver.otel [ { name: "system_otel", title: "System OpenTelemetry Assets", version: "0.2.0", release: "beta", description: "Dashboards for the OpenTelemetry data collected with the `hostmetrics` receiver.", type: "content", ... discovery: { datasets: [ { name: "hostmetricsreceiver.otel" } ] } } ] ``` Generated some otel data by following the instructions in OpenTelemetry integration in a multipass VM: ``` arch=$(if ([[ $(arch) == "arm" || $(arch) == "aarch64" ]]); then echo "arm64"; else echo $(arch); fi) curl --output elastic-distro-9.1.0-linux-$arch.tar.gz --url https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.1.0-linux-$arch.tar.gz --proto '=https' --tlsv1.2 -fL && mkdir -p elastic-distro-9.1.0-linux-$arch && tar -xvf elastic-distro-9.1.0-linux-$arch.tar.gz -C "elastic-distro-9.1.0-linux-$arch" --strip-components=1 && cd elastic-distro-9.1.0-linux-$arch rm ./otel.yml && cp ./otel_samples/platformlogs_hostmetrics.yml ./otel.yml && mkdir -p ./data/otelcol && sed -i 's#\${env:STORAGE_DIR}#'"$PWD"/data/otelcol'#g' ./otel.yml && sed -i 's#\${env:ELASTIC_ENDPOINT}#http://192.168.64.1:9200#g' ./otel.yml && sed -i 's/\${env:ELASTIC_API_KEY}/NEdfc2RKZ0JobV8xTXQxMjk0cUY6XzliVWIzSDRYZVBFSU9Ea05FTFdJdw==/g' ./otel.yml ``` And updating pipelines: ``` vim otel.yml service: extensions: [file_storage] pipelines: metrics/hostmetrics: receivers: [hostmetrics/system] processors: [resourcedetection, attributes/dataset, resource/process] exporters: [elasticsearch/otel] # start collector sudo ./otelcol --config otel.yml ``` For some reason the ES|QL query in the task doesn't return the `hostmetricsreceiver.otel` dataset, but is returned when running the same query in dev tools. Might be a permission issue. ``` FROM logs-*,metrics-*,traces-* | KEEP @timestamp, data_stream.dataset | WHERE @timestamp > NOW() - 15 minutes | STATS COUNT(*) BY data_stream.dataset { "took": 6, "is_partial": false, "documents_found": 5752, "values_loaded": 5752, "columns": [ { "name": "COUNT(*)", "type": "long" }, { "name": "data_stream.dataset", "type": "keyword" } ], "values": [ [ 115, "elastic_agent" ], [ 27, "elastic_agent.filebeat" ], [ 3, "elastic_agent.status_change" ], [ 1696, "elastic_agent.metricbeat" ], [ 3336, "elastic_agent.fleet_server" ], [ 271, "fleet_server.agent_versions" ], [ 271, "fleet_server.agent_status" ] ] } ``` <img width="2511" height="1101" alt="image" src="https://github.com/user-attachments/assets/03721494-6ad0-4d69-8c79-a23d82ac1c84" /> Update: Yes, it seems `kibana_system` didn't have privileges to read the integration data streams. Tested locally by adding read access, and now the query returns the expected results and installs the otel content package. I'll create a pr to the elasticsearch repo. Here it is: elastic/elasticsearch#132400 ``` # checkout ES pr, start es from source yarn es source --license trial -E xpack.security.authc.api_key.enabled=true -E xpack.security.authc.token.enabled=true --source-path=/Users/juliabardi/elasticsearch -E path.data=/tmp/es-data -E xpack.ml.enabled=false -E http.host=0.0.0.0 # kibana logs that run the task [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet.fleet:auto-install-content-packages-task:1.0.1] [AutoInstallContentPackagesTask] Found datasets with data: hostmetricsreceiver.otel, elastic_agent, fleet_server.agent_status, system.process.summary, system.socket_summary, elastic_agent.filebeat_input, elastic_agent.metricbeat, elastic_agent.filebeat, system.memory, elastic_agent.elastic_agent, generic.otel, elastic_agent.status_change, hostmetricsreceiver, elastic_agent.fleet_server, system.uptime, system.cpu, system.process, system.filesystem, system.fsstat, system.load, fleet_server.agent_versions, system.network, system.diskio [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet.fleet:auto-install-content-packages-task:1.0.1] [AutoInstallContentPackagesTask] Content packages to install: system_otel@0.2.0 [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet] Kicking off install of system_otel-0.2.0 from registry ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
There was a problem hiding this comment.
Post merge review
Caution
TLDR: Kibana security would like to review the breadth of the new permission for the Kibana system user before the next ES Serverless release.
Hi @juliaElastic. Could we please revert the changes before @elastic/kibana-security has a chance to discuss and approve the changes affecting the Kibana system user. We have some concerns about the potential impact of this change and would like to know more about the alternatives that were considered.
| Sure, I'll revert. Is there a way to prevent merge next time for changes like these? I'll be on PTO from tomorrow, cc @elastic/fleet to keep the team in the loop. Re-added the change as a draft, will be ready after the revert is merged: #132501 |
juliaElastic added a commit to juliaElastic/elasticsearch that referenced this pull request Aug 6, 2025
…s data (elastic#132400)" This reverts commit 364c70e.
juliaElastic added a commit to juliaElastic/elasticsearch that referenced this pull request Aug 6, 2025
…lastic#132400) * add privileges to kibana_system to read integrations data * fix tests
szybia added a commit to szybia/elasticsearch that referenced this pull request Aug 6, 2025
…cking * upstream/main: (24 commits) Revert "[Fleet] add privileges to `kibana_system` to read integrations data (elastic#132400)" (elastic#132499) ESQL: Rename evaluators for FIRST and LAST (elastic#132466) Add inference fields to semantic text docs (elastic#132471) ESQL: Allow FIRST and LAST as method name (elastic#132469) ESQL: Add javadoc for PushDownAndCombineFilters (elastic#132484) Misc cleanups in Coordinator (elastic#132452) [DiskBBQ] Write the maximum posting list size to avoid resizing the docId array (elastic#132447) Improve exception handling for JsonXContentParser (elastic#123439) Clarify quantization on semantic_text BBQ dense vector default (elastic#132470) Fix test infra NPE in doEnsureClusterStateConsistency (elastic#131859) Stabilize CancellableTasksIT#testRemoveBanParentsOnDisconnect (elastic#131858) Move ClusterApplierService assertion after logging exception (elastic#132446) ESQL: Support for multi-argument aggs (elastic#132424) Update wolfi (versioned) (elastic#132457) ESQL: Fix Function javadoc (elastic#132399) [ML] Inference API disable partial search results (elastic#132362) Unmute testTermsQuery tests (elastic#132409) Fix index lookup when field-caps returns empty mapping (elastic#132138) CompressorFactory.compressor (elastic#132448) ESQL add formatting to plans in javadoc (elastic#132421) ...
juliaElastic added a commit to juliaElastic/elasticsearch that referenced this pull request Aug 18, 2025
…lastic#132400) * add privileges to kibana_system to read integrations data * fix tests
NicholasPeretti pushed a commit to NicholasPeretti/kibana that referenced this pull request Aug 18, 2025
## Summary Follow up for elastic/ingest-dev#5685 Fix fleet config to change auto install content packages task interval: ``` # enable feature flag xpack.fleet.enableExperimental: ['enableAutoInstallContentPackages'] # change interval xpack.fleet.autoInstallContentPackages.taskInterval: 15s ``` Also use prerelease flag from settings to be able to test auto install prerelease content package like system_otel: <img width="875" height="1006" alt="image" src="https://github.com/user-attachments/assets/7d22bbc8-5b32-4af5-97ec-fb4dca644f42" /> Added `discovery.datasets` field to `system_otel` package to test with, but for some reason the datasets values are not showing up in the EPR response ([PR](elastic/integrations#14770)) Tested with the package built locally and starting a local registry: [system_otel-0.2.0.zip](https://github.com/user-attachments/files/21574295/system_otel-0.2.0.zip) Update: this now works, had to pull the latest registry docker image ``` # start local registry docker run -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/package_registry_config.yml:/package-registry/config.yml -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/test_packages:/packages/test-packages -v /Users/juliabardi/kibana/x-pack/platform/test/fleet_api_integration/apis/fixtures/package_verification/packages/zips:/packages/signed-test-packages -p 12345:8080 docker.elastic.co/package-registry/distribution:lite # use local registry in kibana config xpack.fleet.registryUrl: http://localhost:12345 http://localhost:12345/search?prerelease=true&type=content&spec.min=2.3&spec.max=3.4&discovery=datasets:hostmetricsreceiver.otel [ { name: "system_otel", title: "System OpenTelemetry Assets", version: "0.2.0", release: "beta", description: "Dashboards for the OpenTelemetry data collected with the `hostmetrics` receiver.", type: "content", ... discovery: { datasets: [ { name: "hostmetricsreceiver.otel" } ] } } ] ``` Generated some otel data by following the instructions in OpenTelemetry integration in a multipass VM: ``` arch=$(if ([[ $(arch) == "arm" || $(arch) == "aarch64" ]]); then echo "arm64"; else echo $(arch); fi) curl --output elastic-distro-9.1.0-linux-$arch.tar.gz --url https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.1.0-linux-$arch.tar.gz --proto '=https' --tlsv1.2 -fL && mkdir -p elastic-distro-9.1.0-linux-$arch && tar -xvf elastic-distro-9.1.0-linux-$arch.tar.gz -C "elastic-distro-9.1.0-linux-$arch" --strip-components=1 && cd elastic-distro-9.1.0-linux-$arch rm ./otel.yml && cp ./otel_samples/platformlogs_hostmetrics.yml ./otel.yml && mkdir -p ./data/otelcol && sed -i 's#\${env:STORAGE_DIR}#'"$PWD"/data/otelcol'#g' ./otel.yml && sed -i 's#\${env:ELASTIC_ENDPOINT}#http://192.168.64.1:9200#g' ./otel.yml && sed -i 's/\${env:ELASTIC_API_KEY}/NEdfc2RKZ0JobV8xTXQxMjk0cUY6XzliVWIzSDRYZVBFSU9Ea05FTFdJdw==/g' ./otel.yml ``` And updating pipelines: ``` vim otel.yml service: extensions: [file_storage] pipelines: metrics/hostmetrics: receivers: [hostmetrics/system] processors: [resourcedetection, attributes/dataset, resource/process] exporters: [elasticsearch/otel] # start collector sudo ./otelcol --config otel.yml ``` For some reason the ES|QL query in the task doesn't return the `hostmetricsreceiver.otel` dataset, but is returned when running the same query in dev tools. Might be a permission issue. ``` FROM logs-*,metrics-*,traces-* | KEEP @timestamp, data_stream.dataset | WHERE @timestamp > NOW() - 15 minutes | STATS COUNT(*) BY data_stream.dataset { "took": 6, "is_partial": false, "documents_found": 5752, "values_loaded": 5752, "columns": [ { "name": "COUNT(*)", "type": "long" }, { "name": "data_stream.dataset", "type": "keyword" } ], "values": [ [ 115, "elastic_agent" ], [ 27, "elastic_agent.filebeat" ], [ 3, "elastic_agent.status_change" ], [ 1696, "elastic_agent.metricbeat" ], [ 3336, "elastic_agent.fleet_server" ], [ 271, "fleet_server.agent_versions" ], [ 271, "fleet_server.agent_status" ] ] } ``` <img width="2511" height="1101" alt="image" src="https://github.com/user-attachments/assets/03721494-6ad0-4d69-8c79-a23d82ac1c84" /> Update: Yes, it seems `kibana_system` didn't have privileges to read the integration data streams. Tested locally by adding read access, and now the query returns the expected results and installs the otel content package. I'll create a pr to the elasticsearch repo. Here it is: elastic/elasticsearch#132400 ``` # checkout ES pr, start es from source yarn es source --license trial -E xpack.security.authc.api_key.enabled=true -E xpack.security.authc.token.enabled=true --source-path=/Users/juliabardi/elasticsearch -E path.data=/tmp/es-data -E xpack.ml.enabled=false -E http.host=0.0.0.0 # kibana logs that run the task [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet.fleet:auto-install-content-packages-task:1.0.1] [AutoInstallContentPackagesTask] Found datasets with data: hostmetricsreceiver.otel, elastic_agent, fleet_server.agent_status, system.process.summary, system.socket_summary, elastic_agent.filebeat_input, elastic_agent.metricbeat, elastic_agent.filebeat, system.memory, elastic_agent.elastic_agent, generic.otel, elastic_agent.status_change, hostmetricsreceiver, elastic_agent.fleet_server, system.uptime, system.cpu, system.process, system.filesystem, system.fsstat, system.load, fleet_server.agent_versions, system.network, system.diskio [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet.fleet:auto-install-content-packages-task:1.0.1] [AutoInstallContentPackagesTask] Content packages to install: system_otel@0.2.0 [2025-08-04T15:51:43.748+02:00][DEBUG][plugins.fleet] Kicking off install of system_otel-0.2.0 from registry ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
gradle check? yesRelates elastic/kibana#230369
Relates https://github.com/elastic/ingest-dev/issues/5685
kibana_systemneeds permission to read integrations data streamslogs-*,metrics-*,traces-*to support the auto install content packages feature.Fleet checks ingested
data_stream.datasetvalues to see if any content packages match that can be auto installed.