[Telemetry] Report data shippers

[afharo]

Summary

Closes #64790

Report if well-known data shippers are used to index documents in the cluster.
Tested on OSS, X-Pack and Monitoring collectors.

Manual tests to explain the behaviour

1. Start a clean cluster:
   The expected payload is an empty array stack_stats.data = []

2. I installed packetbeat in my machine and started it. stack_stats.data is now...

     "data": [
       {
         "shipper": "packetbeat",
         "index_count": 1,
         "ecs_index_count": 1,
         "doc_count": 56686,
         "size_in_bytes": 29042232
       }
     ],
   

3. For packetbeat indices pre-7.0, we didn't have the _meta.beat information, so we'll report it under pattern_name instead. But we'll report the shipper property because we know that index pattern is strictly linked to that shipper. The index pattern is defined as { pattern: 'packetbeat-*', patternName: 'packetbeat', shipper: 'packetbeat' }

       {
         "pattern_name": "packetbeat",
         "shipper": "packetbeat",
         "index_count": 1,
         "ecs_index_count": 0,
         "doc_count": 0,
         "size_in_bytes": 208
       }

4. If I create a new index called citrix-1234, matching the pattern *citrix*, the following is added to the array.

       {
         "pattern_name": "citrix",
         "index_count": 1,
         "ecs_index_count": 0,
         "doc_count": 0,
         "size_in_bytes": 208
       }

5. For the pattern { pattern: '*logs*', patternName: 'third-party-logs' }, I create some indices containing logs in their name:

   PUT logs-custom-index-1234
   PUT <logs-custom-index-{now%2Fd}-12345>
   PUT <custom-logs-index-{now%2Fd}-12345>
   

   The following payload is added to the data array:

       {
         "pattern_name": "third-party-logs",
         "index_count": 3,
         "ecs_index_count": 0,
         "doc_count": 0,
         "size_in_bytes": 624
       }

6. If I create an index following the New Indexing Strategy

   PUT events-something-namespace-123124
   {
     "mappings": {
       "_meta": {
         "beat": "my-beat"
       },
       "properties": {
         "ecs": {
           "properties": {
             "version": {
               "type": "keyword"
             }
           }
         },
         "dataset": {
           "properties": {
             "name": {
               "type": "constant_keyword",
               "value": "something"
             },
             "type": {
               "type": "constant_keyword",
               "value": "events"
             }
           }
         }
       }
     }
   }
   

   We read the values from the mappings and include the following object to the data array:

       {
         "dataset": {
           "name": "something",
           "type": "events"
         },
         "shipper": "my-beat",
         "index_count": 1,
         "ecs_index_count": 1,
         "doc_count": 0,
         "size_in_bytes": 208
       }

7. Final object after all

   {
     "stack_stats": {
       "data": [
         {
           "shipper": "packetbeat",
           "index_count": 1,
           "ecs_index_count": 1,
           "doc_count": 56686,
           "size_in_bytes": 29042232
         },
         {
           "pattern_name": "packetbeat",
           "shipper": "packetbeat",
           "index_count": 1,
           "ecs_index_count": 0,
           "doc_count": 0,
           "size_in_bytes": 208
         },
         {
           "dataset": {
             "name": "something",
             "type": "events"
           },
           "shipper": "my-beat",
           "index_count": 1,
           "ecs_index_count": 1,
           "doc_count": 0,
           "size_in_bytes": 208
         },
         {
           "pattern_name": "citrix",
           "index_count": 1,
           "ecs_index_count": 0,
           "doc_count": 0,
           "size_in_bytes": 208
         },
         {
           "pattern_name": "third-party-logs",
           "index_count": 3,
           "ecs_index_count": 0,
           "doc_count": 0,
           "size_in_bytes": 624
         }
       ],
       "kibana": "..."
     }
   }

When Monitoring is ON

With the currently limited information we can retrieve in Monitoring, the reported payload in the same scenario would be:

      "data": [
        {
          "pattern_name": "citrix",
          "index_count": 1,
          "doc_count": 0,
          "size_in_bytes": 208
        },
        {
          "pattern_name": "third-party-logs",
          "index_count": 2,
          "doc_count": 0,
          "size_in_bytes": 416
        },
        {
          "pattern_name": "packetbeat",
          "index_count": 2,
          "doc_count": 86535,
          "size_in_bytes": 43978411
        }
      ]

So I've removed the collection of this information when using Monitoring until we find a way to accurately retrieve it (#68998).

TODO:

• Change the permissions of the role kibana_system (Add monitor and view_index_metadata to built-in kibana_system role elasticsearch#57755)
• Finish up with the full listing: https://github.com/afharo/kibana/blob/telemetry/report-data-providers/src/plugins/telemetry/server/telemetry_collection/get_data_telemetry/constants.ts#L36 => @alexfrancoeur will provide an updated list. Only missing to confirm some of the patterns that are a bit too vague (i.e.: *bro*).
• Try to identify if the mapping includes the field ecs.version
• There is a concern, due to security reasons, the Kibana user might not be able to retrieve the stats of certain indices. We need to test it thoroughly (any help is appreciated here) => Tested! We are still able to list the indices but can't retrieve the doc_count nor the size. I've got confirmation that that's OK if those 2 fields are optional.

Adding the v7.8.0 label as tentative only.

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[afharo]

There is a concern about using this API because its documentation says:

The response is an internal representation of the cluster state and its format may change from version to version. If possible, you should obtain any information from the cluster state using the other, more stable, cluster APIs.

I've added a functional test in test/api_integration/apis/telemetry/telemetry_local.js to make sure it works as expected. Although it brings up the risk of flaky tests in the future if the API changes the way it works.

[TinaHeiligers]

How much tech debt do we want to get ourselves into? If it is possible to use a more stable API, I think it's worth changing.

[afharo]

I think the only alternative so far is to only use the GET <index>/_stats/ API. But that requires the kibana user to have a more permissive role.

Alternatively, there are some ongoing talks with the ES team to modify the same Cluster State API to provide the aggregated data all at once (meaning ES shouldn't drop support or make any changes in that API).

[Bamieh]

Can we discuss with other teams the possiblity of adding those permissions to the kibana role instead of using this API? im not completely against using this API if we have no other way, but i think it would make more sense to add those extra permissions and use the _stats api.

Also if you check the compatiblity grid: https://github.com/elastic/kibana/#version-compatibility-with-elasticsearch

Are we sure this API does not change behavior across the compatiblity grid? Our tests will test exact ES matching version, but not other compatible versions where ES minor/patch versinos are newer or ES patch version is lower than kibana's.

[afharo]

I'm not against updating the roles to be more permissive (that will allow us to consistently be able to retrieve the doc_count and size_in_bytes properties) but it involves some additional security concerns.

Not being able to retrieve the data from the cluster state API because of the compatibility grid will only result in not being able to provide this parameter in the telemetry (it will return it as {}) but it shouldn't break any other logic unless the API request itself throws any errors.
The warning in that API is about the format may change though, not the API behaviour as such.

N.B.: I just pushed a commit to catch the method and safely return {} if any of the API calls fail.

I think this approach is safer than opening the kibana_system role to be able to read from any index. But I'm happy to revisit this implementation if we think that's the way to go or any other approach (like ES providing this kind of info already embedded in the _cluster/stats API if they are willing the do the change and aggregation on their end).

[TinaHeiligers]

Opening up the kibana_system role is not ideal. Could we explore creating a telemetry_system role that has all the permissions needed?
cc @kobelb

[kobelb]

I don't think creating a telemetry_system roles would necessarily help us here... If we added the telemetry_system role to the kibana_system user we'd have an equivalent "threat profile". If we created a new telemetry_system user which had the telemetry_system role, it would make setup more complicated and have a slightly different "threat profile" as both user's credentials would be stored in the kibana.yml.

Augmenting the _cluster/stats API so we don't have to change the kibana_system privileges at all would be the safest option.

However, if we had to give the kibana_system role the monitor privilege on indices so we can use the index stats API, it's a lot safer than giving it access to read the documents themselves.

[alexfrancoeur]

@afharo minor suggestion, and fine to leave as is if this blocks anything, but would it be possible to rename ingest_solutions to ingest? At least initially, we aren't mapping the data providers directly to solutions but instead the shippers themselves

[afharo]

@afharo minor suggestion, and fine to leave as is if this blocks anything, but would it be possible to rename ingest_solutions to ingest? At least initially, we aren't mapping the data providers directly to solutions but instead the shippers themselves

@alexfrancoeur absolutely, it's a minor change. The only reason I decided not to use ingest on its own is that it may be too vague. We already have the concepts ingest pipelines, ingest nodes, ...

But happy to change it you think it would make things easier :)

[chrisronline]

LGTM from stack monitoring

[igoristic]

That's a good question. Are there any repercussions if we do use CCS by default? (like will it be less efficient, or slower?). If not then my other concern is it would probably need to be conditional based on licensing (and maybe also if there are any config options tied with it). I think the terms are kind of confusing since we actually mean "Multi-stack monitoring" here, right?

Looks like it's only available for Gold license and above

---

However, I think CSS is available for all licenses:

Source: https://www.elastic.co/subscriptions

I think it's fine the way it is right now and can be added later if anything

[igoristic]

Looks good from Stack Monitoring pov (code and functionality) ✅

[TinaHeiligers]

The solution looks good, although I did add a couple of questions.
I also pulled the code and ran the changed and added tests, all of which passed.

[TinaHeiligers]

How much tech debt do we want to get ourselves into? If it is possible to use a more stable API, I think it's worth changing.

[afharo]

@elasticmachine merge upstream

[TinaHeiligers]

@elasticmachine merge upstream

[afharo]

@elasticmachine merge upstream

[afharo]

After a conversation with @alexfrancoeur and @kobelb, I need to change this to a .filter

[afharo]

@elasticmachine merge upstream

[afharo]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 7434e99

Build metrics

✅ unchanged

History

• 💛 Build #57908 was flaky aaac999
• 💚 Build #57563 succeeded edbf2f5
• 💚 Build #57501 succeeded f69c491
• 💔 Build #57463 failed f13ccb8
• 💚 Build #56325 succeeded 8746be1

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream