Non-super users unable to view events under Data Stream tab even with All rights to Fleet management.

[dikshachauhan-qasource]

Kibana version:* 8.1 BC3 Kibana cloud staging environment

Browser version: Firefox
Host OS: n/a

Preconditions:

1. 8.1 BC3 staging Kibana cloud staging environment should be available.

Build Details:

VERSION: 8.1.0-BC3
BUILD: 50346
COMMIT: 0335dd6a26ef29ae9021d0fae9347dc88f3b7d6e
ARTIFACT LINK: https://staging.elastic.co/8.1.0-bee672a6/summary-8.1.0.html

2. Agent should be installed and streaming data under data stream tab with super user account.

3. Few Integrations should be installed and used in Agent policy.

Steps to reproduce:

• Login to kibana with super user.
• Navigate to Stack Management and create a new role with Read only rights for Fleet & Integrations.
• 
• Create a new user and assign above created Role.
• Login with newly created user account.
• Navigate to data stream tab under Fleet.
• Observe, data events are not available for new user.
• Update User account rights with index privileges to logs-* and metrics-* Indices with Read value.
• Again, Check out user account for data stream tab.

Actual Result:

• Data at Discover Tab is available but not unser Data streams tab.

Expected Result:
As per our understanding, A user having rights to Fleet tab, should also be able to read data at Data stream tab.

Screenshot:

[manishgupta-qasource]

Reviewed & mention to @jen-huang

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[jen-huang]

@criamico, could you take a look at this?

[joshdover]

• Update User account rights with index privileges to logs-* and metrics-* Indices with Read value.

I'm curious if our current query logic requires index privileges to the backing indices. We could test this by adding read index privilege for .ds-logs-* and .ds-metrics-* and see if that 'fixes' the issue. If so, we again need to revisit how this UI queries data (related to #115805).

[criamico]

@joshdover I tested your suggestion on cloud (Latest 8.1). The admin user has some data in data streams:

I then created a user with Fleet "All", Integrations "Read" and the index privileges that you suggested:

Logging with this user Data streams tab is still giving an error and not showing data. The error I get is

error: "Internal Server Error"
message: "security_exception: [security_exception] Reason: action [indices:monitor/data_stream/stats] is unauthorized for user [User_Read] with roles [Read_only], this action is granted by the index privileges [monitor,manage,all]"
statusCode: 500

So we're still not granting the correct privileges.

[joshdover]

Ah thanks for digging in, so we need to probably block this UI if the user does not have the monitor cluster privilege. I think we can follow the same design pattern that we have used for blocking the Fleet Server setup instructions.

[joshdover]

A fix for 8.1.0 would be ideal here, but if it slips to 8.1.1 that'd be ok.

[joshdover]

I'm downgrading the impact here since this is really a privileges issue that we could better surface in the UI but it is not really a broken feature.

[jlind23]

@amolnater-qasource as stated by Josh this is a privileges issue and not a UI bug per say, so closing this