[discuss][Telemetry] Should we revisit the scoped payload logic?

[afharo]

Currently, when we request POST /api/telemetry/v2/clusters/_stats, we have 2 possible behaviours based on the value the body parameter unencrypted:

• If set to false (default), it will collect the usage with the kibana_system user (Kibana's internal user) and return the encrypted version of it.
• If set to true, it will collect the usage with clients scoped to the user requesting this sample, and it will return the payload as-is (human readable JSON).

This serves 2 purposes:

1. Encryption allows us to send telemetry through the users' browsers without them being able to read the info nor alter the information.
2. Scoped clients avoids users with limited permissions to gain access to stats they shouldn't know for any reason (i.e.: number of spaces, or stats about enabled features they don't have access to).

Scoping the clients comes with a huge cost though, and it doesn't really solve the problem we're trying to solve:

1. Admins are the most likely users to enable/disable this feature. The payload that they receive might contain more data than what kibana_system can actually read (because they have more access), or fewer because scoped clients are also scoped to the space the request comes from ([Usage Collection] Saved Objects APIs scopes might return incomplete data #92001). So their decision can't be based on the actual info we send.
2. Feature-limited users might still be able to read SOs, so the telemetry sample will still show the features they are not supposed to have access to (even more so when collectors are only reporting config statuses).
3. Developers trust the output of that API/Flyout to validate their collectors ([Telemetry] Test helpers for kibana_system #92825)
4. It overcomplicates the logic to retrieve the clients only to accommodate the Demo mode (unencrypted: true):
   • We need to police externally created clients in collectors.
   • We had to implement the Extended Context to the fetch method to provide the KibanaRequest (when available) with lots of caveats in that implementation that we named Advanced Usage.

I'd like to kick off a discussion about alternatives to replace the scoped clients.

My suggestion is:

1. Register a feature called retrieve_telemetry
2. Change POST /api/telemetry/v2/clusters/_stats to validate that the user has access to that feature, only when requesting it with unencrypted: true (unencrypted: false requests would be kept unchanged).
   NOTE: We might need to apply the same validation in /api/stats?extended (any implications to Metricbeat?)
3. Always collect the telemetry payload using kibana_system.

What do you think?

[elasticmachine]

Pinging @elastic/kibana-telemetry (Team:KibanaTelemetry)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[afharo]

cc @kobelb

[joshdover]

2. Scoped clients avoids users with limited permissions to gain access to stats they shouldn't know for any reason (i.e.: number of spaces, or stats about enabled features they don't have access to).

As mentioned during our meeting, I think this is the requirement/feature we should try to see if we can remove. I can't foresee us being able to support this long term without a lot of extra complexity in how we collect telemetry data. In fact, based on:

Feature-limited users might still be able to read SOs, so the telemetry sample will still show the features they are not supposed to have access to (even more so when collectors are only reporting config statuses).

...we already are breaking this today. IMO this problem should be classified as a bug where the fix is incredibly expensive and so we should be considering removing this feature for non-privileged users and only allow admins to see this data. In all likelihood, admins are almost always the users who are looking at this data and certainly should be the ones who have the access and knowledge to be able to take any action on this data.

[legrego]

In all likelihood, admins are almost always the users who are looking at this data and certainly should be the ones who have the access and knowledge to be able to take any action on this data.

I agree, this is who we should cater for.

My suggestion is:

1. Register a feature called retrieve_telemetry

I think creating a new feature privilege is heavy-handed for such a small administrative function. If we take the "just admins" approach, then we could instead check to see if:

1. The user is a Kibana Administrator (@elastic/kibana-security can help with this)
2. The user has the necessary privileges to execute the ES-specific telemetry APIs (is that GET /_cluster/stats?). We can still use kibana_system to make the call if you'd like, but this way we aren't violating Elasticsearch's security model by showing this information to users who wouldn't otherwise be authorized to view it.

[afharo]

I'm happy with limiting it to Kibana Administrators only approach. However, I wonder if we could do it programmatically in the handler because unencrypted: false should be allowed to everyone.

Before fully diving in admins-only, I'd like to consider how we could handle Metricbeat's GET /api/stats?extended requests (I don't think it runs with an admin user, does it?).

[legrego]

Before fully diving in admins-only, I'd like to consider how we could handle Metricbeat's GET /api/stats?extended requests (I don't think it runs with an admin user, does it?).

If the only supported usage is Metricbeat, then the docs state that you need to assign the remote_monitoring_collector role to monitor Kibana.

The descriptor for that role looks fairly out of date: it doesn't grant access to Kibana at all. It seems to rely on the "legacy" authorization model where we relied on privileges to the underlying .kibana index instead of Application Privileges.

Based on the information I see in the payload, I'd expect that we would need the equivalent of a read-only kibana administrator, which is something I think we'd be able to accommodate.

Sample extended payload

{
  "process": {
    "memory": {
      "heap": {
        "total_bytes": 303042560,
        "used_bytes": 266233744,
        "size_limit": 4345298944
      },
      "resident_set_size_bytes": 524783616
    },
    "pid": 73954,
    "event_loop_delay": 0.1358320713043213,
    "uptime_ms": 648361.831487
  },
  "os": {
    "platform": "darwin",
    "platform_release": "darwin-20.3.0",
    "load": {
      "1m": 2.5341796875,
      "5m": 10.6015625,
      "15m": 11.4482421875
    },
    "memory": {
      "total_bytes": 68719476736,
      "free_bytes": 932655104,
      "used_bytes": 67786821632
    },
    "uptime_ms": 2007178000
  },
  "requests": {
    "disconnects": 0,
    "total": 1,
    "status_codes": {}
  },
  "response_times": {
    "avg_ms": 0,
    "max_ms": 0
  },
  "concurrent_connections": 1,
  "kibana": {
    "uuid": "5b2de169-2785-441b-ae8c-186a1936b17d",
    "name": "larry-mb.local",
    "index": ".kibana",
    "host": "0.0.0.0",
    "locale": "en",
    "transport_address": "0.0.0.0:5603",
    "version": "8.0.0",
    "snapshot": false,
    "status": "green"
  },
  "last_updated": "2021-03-25T18:14:33.860Z",
  "collection_interval_ms": 5000,
  "usage": {
    "telemetry": {
      "opt_in_status": true,
      "last_reported": 1616695847969,
      "usage_fetcher": "server"
    },
    "ui_counters": {
      "daily_events": [
        {
          "app_name": "console",
          "event_name": "opened_app",
          "last_updated_at": "2021-03-25T18:11:30.335Z",
          "from_timestamp": "2021-03-25T00:00:00Z",
          "counter_type": "loaded",
          "total": 1
        }
      ]
    },
    "kibana": {
      "index": ".kibana",
      "dashboard": {
        "total": 0
      },
      "visualization": {
        "total": 0
      },
      "search": {
        "total": 0
      },
      "index_pattern": {
        "total": 0
      },
      "graph_workspace": {
        "total": 0
      },
      "timelion_sheet": {
        "total": 0
      }
    },
    "stack_management": {},
    "ui_metric": {
      "kibana_user_agent": [
        {
          "key": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36",
          "value": 1
        }
      ],
      "console": [
        {
          "key": "opened_app",
          "value": 1
        }
      ]
    },
    "application_usage": {
      "space_selector": {
        "app_id": "space_selector",
        "view_id": "main",
        "clicks_total": 1,
        "clicks_7_days": 1,
        "clicks_30_days": 1,
        "clicks_90_days": 1,
        "minutes_on_screen_total": 0.021366666666666666,
        "minutes_on_screen_7_days": 0.021366666666666666,
        "minutes_on_screen_30_days": 0.021366666666666666,
        "minutes_on_screen_90_days": 0.021366666666666666,
        "views": []
      },
      "home": {
        "app_id": "home",
        "view_id": "main",
        "clicks_total": 4,
        "clicks_7_days": 4,
        "clicks_30_days": 4,
        "clicks_90_days": 4,
        "minutes_on_screen_total": 2.4809666666666668,
        "minutes_on_screen_7_days": 2.4809666666666668,
        "minutes_on_screen_30_days": 2.4809666666666668,
        "minutes_on_screen_90_days": 2.4809666666666668,
        "views": []
      },
      "dev_tools": {
        "app_id": "dev_tools",
        "view_id": "main",
        "clicks_total": 1,
        "clicks_7_days": 1,
        "clicks_30_days": 1,
        "clicks_90_days": 1,
        "minutes_on_screen_total": 0.05268333333333333,
        "minutes_on_screen_7_days": 0.05268333333333333,
        "minutes_on_screen_30_days": 0.05268333333333333,
        "minutes_on_screen_90_days": 0.05268333333333333,
        "views": []
      },
      "security_access_agreement": {
        "app_id": "security_access_agreement",
        "view_id": "main",
        "clicks_total": 4,
        "clicks_7_days": 4,
        "clicks_30_days": 4,
        "clicks_90_days": 4,
        "minutes_on_screen_total": 0.15846666666666667,
        "minutes_on_screen_7_days": 0.15846666666666667,
        "minutes_on_screen_30_days": 0.15846666666666667,
        "minutes_on_screen_90_days": 0.15846666666666667,
        "views": []
      }
    },
    "csp": {
      "strict": true,
      "warn_legacy_browsers": true,
      "rules_changed_from_default": false
    },
    "core": {
      "config": {
        "elasticsearch": {
          "api_version": "master",
          "sniff_on_start": false,
          "sniff_interval_ms": -1,
          "sniff_on_connection_fault": false,
          "number_of_hosts_configured": 1,
          "custom_headers_configured": false,
          "health_check_delay_ms": 2500,
          "log_queries": false,
          "ping_timeout_ms": 30000,
          "request_headers_whitelist_configured": true,
          "request_timeout_ms": 30000,
          "shard_timeout_ms": 30000,
          "ssl": {
            "always_present_certificate": false,
            "certificate_authorities_configured": true,
            "certificate_configured": false,
            "key_configured": false,
            "verification_mode": "certificate",
            "truststore_configured": false,
            "keystore_configured": false
          }
        },
        "http": {
          "base_path_configured": true,
          "max_payload_bytes": 164857600,
          "rewrite_base_path": true,
          "keepalive_timeout": 120000,
          "socket_timeout": 120000,
          "compression": {
            "enabled": true,
            "referrer_whitelist_configured": false
          },
          "xsrf": {
            "disable_protection": false,
            "allowlist_configured": false
          },
          "request_id": {
            "allow_from_any_ip": false,
            "ip_allowlist_configured": false
          },
          "ssl": {
            "certificate_authorities_configured": true,
            "certificate_configured": true,
            "cipher_suites": [
              "TLS_AES_256_GCM_SHA384",
              "TLS_CHACHA20_POLY1305_SHA256",
              "TLS_AES_128_GCM_SHA256",
              "ECDHE-RSA-AES128-GCM-SHA256",
              "ECDHE-ECDSA-AES128-GCM-SHA256",
              "ECDHE-RSA-AES256-GCM-SHA384",
              "ECDHE-ECDSA-AES256-GCM-SHA384",
              "DHE-RSA-AES128-GCM-SHA256",
              "ECDHE-RSA-AES128-SHA256",
              "DHE-RSA-AES128-SHA256",
              "ECDHE-RSA-AES256-SHA384",
              "DHE-RSA-AES256-SHA384",
              "ECDHE-RSA-AES256-SHA256",
              "DHE-RSA-AES256-SHA256",
              "HIGH",
              "!aNULL",
              "!eNULL",
              "!EXPORT",
              "!DES",
              "!RC4",
              "!MD5",
              "!PSK",
              "!SRP",
              "!CAMELLIA"
            ],
            "key_configured": true,
            "redirect_http_from_port_configured": false,
            "supported_protocols": [
              "TLSv1.1",
              "TLSv1.2",
              "TLSv1.3"
            ],
            "client_authentication": "none",
            "keystore_configured": false,
            "truststore_configured": false
          }
        },
        "logging": {
          "appenders_types_used": [
            "legacy-appender"
          ],
          "loggers_configured_count": 9
        },
        "saved_objects": {
          "custom_index": false,
          "max_import_payload_bytes": 26214400,
          "max_import_export_size": 10000
        }
      },
      "environment": {
        "memory": {
          "heap_size_limit": 4345298944,
          "heap_total_bytes": 303042560,
          "heap_used_bytes": 266233744
        }
      },
      "services": {
        "saved_objects": {
          "indices": [
            {
              "alias": ".kibana",
              "docs_count": "19",
              "docs_deleted": "12",
              "store_size_bytes": "2219785",
              "primary_store_size_bytes": "2219785"
            },
            {
              "alias": ".kibana_task_manager",
              "docs_count": "10",
              "docs_deleted": "187",
              "store_size_bytes": "55062",
              "primary_store_size_bytes": "55062"
            }
          ]
        }
      },
      "api_calls_saved_objects_bulk_get_total": 3,
      "api_calls_saved_objects_bulk_get_namespace_default_total": 3,
      "api_calls_saved_objects_bulk_get_namespace_default_kibana_request_yes": 3,
      "api_calls_saved_objects_find_total": 2,
      "api_calls_saved_objects_find_namespace_default_total": 2,
      "api_calls_saved_objects_find_namespace_default_kibana_request_yes": 2,
      "api_calls_saved_objects_bulk_create_total": 0,
      "api_calls_saved_objects_bulk_create_namespace_default_total": 0,
      "api_calls_saved_objects_bulk_create_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_bulk_create_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_bulk_create_namespace_custom_total": 0,
      "api_calls_saved_objects_bulk_create_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_bulk_create_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_bulk_get_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_bulk_get_namespace_custom_total": 0,
      "api_calls_saved_objects_bulk_get_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_bulk_get_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_bulk_update_total": 0,
      "api_calls_saved_objects_bulk_update_namespace_default_total": 0,
      "api_calls_saved_objects_bulk_update_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_bulk_update_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_bulk_update_namespace_custom_total": 0,
      "api_calls_saved_objects_bulk_update_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_bulk_update_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_create_total": 0,
      "api_calls_saved_objects_create_namespace_default_total": 0,
      "api_calls_saved_objects_create_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_create_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_create_namespace_custom_total": 0,
      "api_calls_saved_objects_create_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_create_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_delete_total": 0,
      "api_calls_saved_objects_delete_namespace_default_total": 0,
      "api_calls_saved_objects_delete_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_delete_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_delete_namespace_custom_total": 0,
      "api_calls_saved_objects_delete_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_delete_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_find_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_find_namespace_custom_total": 0,
      "api_calls_saved_objects_find_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_find_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_get_total": 0,
      "api_calls_saved_objects_get_namespace_default_total": 0,
      "api_calls_saved_objects_get_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_get_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_get_namespace_custom_total": 0,
      "api_calls_saved_objects_get_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_get_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_resolve_total": 0,
      "api_calls_saved_objects_resolve_namespace_default_total": 0,
      "api_calls_saved_objects_resolve_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_resolve_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_resolve_namespace_custom_total": 0,
      "api_calls_saved_objects_resolve_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_resolve_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_update_total": 0,
      "api_calls_saved_objects_update_namespace_default_total": 0,
      "api_calls_saved_objects_update_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_update_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_update_namespace_custom_total": 0,
      "api_calls_saved_objects_update_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_update_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_import_total": 0,
      "api_calls_saved_objects_import_namespace_default_total": 0,
      "api_calls_saved_objects_import_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_import_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_import_namespace_custom_total": 0,
      "api_calls_saved_objects_import_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_import_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_import_create_new_copies_enabled_yes": 0,
      "api_calls_saved_objects_import_create_new_copies_enabled_no": 0,
      "api_calls_saved_objects_import_overwrite_enabled_yes": 0,
      "api_calls_saved_objects_import_overwrite_enabled_no": 0,
      "api_calls_saved_objects_resolve_import_errors_total": 0,
      "api_calls_saved_objects_resolve_import_errors_namespace_default_total": 0,
      "api_calls_saved_objects_resolve_import_errors_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_resolve_import_errors_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_resolve_import_errors_namespace_custom_total": 0,
      "api_calls_saved_objects_resolve_import_errors_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_resolve_import_errors_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_resolve_import_errors_create_new_copies_enabled_yes": 0,
      "api_calls_saved_objects_resolve_import_errors_create_new_copies_enabled_no": 0,
      "api_calls_saved_objects_export_total": 0,
      "api_calls_saved_objects_export_namespace_default_total": 0,
      "api_calls_saved_objects_export_namespace_default_kibana_request_yes": 0,
      "api_calls_saved_objects_export_namespace_default_kibana_request_no": 0,
      "api_calls_saved_objects_export_namespace_custom_total": 0,
      "api_calls_saved_objects_export_namespace_custom_kibana_request_yes": 0,
      "api_calls_saved_objects_export_namespace_custom_kibana_request_no": 0,
      "api_calls_saved_objects_export_all_types_selected_yes": 0,
      "api_calls_saved_objects_export_all_types_selected_no": 0
    },
    "localization": {
      "locale": "en",
      "integrities": {},
      "labels_count": 0
    },
    "search": {
      "success_count": 0,
      "error_count": 0,
      "average_duration": null
    },
    "file_upload": {
      "file_upload": {
        "index_creation_count": 0
      }
    },
    "kql": {
      "opt_in_count": 0,
      "opt_out_count": 0,
      "default_query_language": "default-kuery"
    },
    "canvas": {},
    "vis_type_table": {
      "total": 0,
      "total_split": 0,
      "split_columns": {
        "total": 0,
        "enabled": 0
      },
      "split_rows": {
        "total": 0,
        "enabled": 0
      }
    },
    "dashboard": {
      "panels": 0,
      "panels_by_value": 0,
      "lens_by_value": {},
      "visualization_by_value": {}
    },
    "discover_enhanced": {
      "explore_data_in_chart_action_enabled": false
    },
    "spaces": {
      "available": true,
      "enabled": true,
      "count": 1,
      "uses_feature_controls": false,
      "disabled_features": {
        "canvas": 0,
        "graph": 0,
        "saved_objects_tagging": 0,
        "maps": 0,
        "fleet": 0,
        "enterprise_search": 0,
        "actions": 0,
        "stack_alerts": 0,
        "ml": 0,
        "siem": 0,
        "infrastructure": 0,
        "logs": 0,
        "monitoring": 0,
        "apm": 0,
        "uptime": 0,
        "discover": 0,
        "visualize": 0,
        "dashboard": 0,
        "dev_tools": 0,
        "advanced_settings": 0,
        "index_patterns": 0,
        "saved_objects_management": 0
      },
      "api_calls_copy_saved_objects_total": 0,
      "api_calls_copy_saved_objects_kibana_request_yes": 0,
      "api_calls_copy_saved_objects_kibana_request_no": 0,
      "api_calls_copy_saved_objects_create_new_copies_enabled_yes": 0,
      "api_calls_copy_saved_objects_create_new_copies_enabled_no": 0,
      "api_calls_copy_saved_objects_overwrite_enabled_yes": 0,
      "api_calls_copy_saved_objects_overwrite_enabled_no": 0,
      "api_calls_resolve_copy_saved_objects_errors_total": 0,
      "api_calls_resolve_copy_saved_objects_errors_kibana_request_yes": 0,
      "api_calls_resolve_copy_saved_objects_errors_kibana_request_no": 0,
      "api_calls_resolve_copy_saved_objects_errors_create_new_copies_enabled_yes": 0,
      "api_calls_resolve_copy_saved_objects_errors_create_new_copies_enabled_no": 0
    },
    "security": {
      "audit_logging_enabled": false,
      "login_selector_enabled": true,
      "access_agreement_enabled": true,
      "auth_provider_count": 4,
      "enabled_auth_providers": [
        "anonymous",
        "basic",
        "saml",
        "pki"
      ],
      "http_auth_schemes": [
        "apikey"
      ]
    },
    "saved_objects_tagging": {
      "used_tags": 0,
      "tagged_objects": 0,
      "types": {}
    },
    "maps": {
      "settings": {
        "show_map_visualization_types": false
      },
      "index_patterns_with_geo_field_count": 0,
      "index_patterns_with_geo_point_field_count": 0,
      "index_patterns_with_geo_shape_field_count": 0,
      "geo_shape_agg_layers_count": 0,
      "maps_total_count": 0,
      "time_captured": "2021-03-25T18:14:33.617Z",
      "attributes_per_map": {
        "data_sources_count": {
          "min": 0,
          "max": 0,
          "avg": 0
        },
        "layers_count": {
          "min": 0,
          "max": 0,
          "avg": 0
        },
        "layer_types_count": {},
        "ems_vector_layers_count": {}
      }
    },
    "search_session": {
      "transient_count": 0,
      "persisted_count": 0,
      "total_count": 0
    },
    "cloud": {
      "is_cloud_enabled": false
    },
    "fleet": {
      "agents_enabled": true,
      "agents": {
        "total": 0,
        "online": 0,
        "error": 0,
        "offline": 0
      },
      "packages": []
    },
    "actions": {
      "count_total": 0,
      "count_by_type": {},
      "count_active_total": 0,
      "count_active_by_type": {}
    },
    "alerts": {
      "count_total": 0,
      "count_by_type": {},
      "throttle_time": {
        "min": "0s",
        "avg": "0s",
        "max": "0s"
      },
      "schedule_time": {
        "min": "0s",
        "avg": "0s",
        "max": "0s"
      },
      "connectors_per_alert": {
        "min": 0,
        "avg": 0,
        "max": 0
      },
      "count_active_by_type": {},
      "count_active_total": 0,
      "count_disabled_total": 0
    },
    "lens": {
      "saved_overall": {},
      "saved_30_days": {},
      "saved_90_days": {},
      "saved_overall_total": 0,
      "saved_30_days_total": 0,
      "saved_90_days_total": 0,
      "events_30_days": {},
      "events_90_days": {},
      "suggestion_events_30_days": {},
      "suggestion_events_90_days": {}
    },
    "security_solution": {
      "detections": {
        "detection_rules": {
          "custom": {
            "enabled": 0,
            "disabled": 0
          },
          "elastic": {
            "enabled": 0,
            "disabled": 0
          }
        },
        "ml_jobs": {
          "custom": {
            "enabled": 0,
            "disabled": 0
          },
          "elastic": {
            "enabled": 0,
            "disabled": 0
          }
        }
      },
      "detection_metrics": {
        "ml_jobs": []
      },
      "endpoints": {
        "total_installed": 0,
        "active_within_last_24_hours": 0,
        "os": [],
        "policies": {
          "malware": {
            "active": 0,
            "inactive": 0,
            "failure": 0
          }
        }
      }
    },
    "rollups": {
      "index_patterns": {
        "total": 0
      },
      "saved_searches": {
        "total": 0
      },
      "visualizations": {
        "total": 0,
        "saved_searches": {
          "total": 0
        }
      }
    },
    "infraops": {
      "last_24_hours": {
        "hits": {
          "infraops_hosts": 0,
          "infraops_docker": 0,
          "infraops_kubernetes": 0,
          "logs": 0
        }
      }
    },
    "monitoring": {
      "has_monitoring_data": false,
      "clusters": []
    },
    "uptime": {
      "last_24_hours": {
        "hits": {
          "overview_page": 0,
          "monitor_page": 0,
          "no_of_unique_monitors": 0,
          "settings_page": 0,
          "monitor_frequency": [],
          "monitor_name_stats": {
            "min_length": 0,
            "max_length": 0,
            "avg_length": 0
          },
          "no_of_unique_observer_locations": 0,
          "observer_location_name_stats": {
            "min_length": 0,
            "max_length": 0,
            "avg_length": 0
          },
          "date_range_start": [],
          "date_range_end": [],
          "auto_refresh_enabled": false,
          "autorefresh_interval": []
        }
      }
    },
    "upgrade_assistant_telemetry": {
      "ui_open": {
        "overview": 0,
        "cluster": 0,
        "indices": 0
      },
      "ui_reindex": {
        "close": 0,
        "open": 0,
        "start": 0,
        "stop": 0
      },
      "features": {
        "deprecation_logging": {
          "enabled": true
        }
      }
    },
    "enterprise_search": {
      "ui_viewed": {
        "overview": 0,
        "setup_guide": 0
      },
      "ui_error": {
        "cannot_connect": 0
      },
      "ui_clicked": {
        "app_search": 0,
        "workplace_search": 0
      }
    },
    "app_search": {
      "ui_viewed": {
        "setup_guide": 0,
        "engines_overview": 0
      },
      "ui_error": {
        "cannot_connect": 0,
        "not_found": 0
      },
      "ui_clicked": {
        "create_first_engine_button": 0,
        "header_launch_button": 0,
        "engine_table_link": 0
      }
    },
    "workplace_search": {
      "ui_viewed": {
        "setup_guide": 0,
        "overview": 0
      },
      "ui_error": {
        "cannot_connect": 0,
        "not_found": 0
      },
      "ui_clicked": {
        "header_launch_button": 0,
        "org_name_change_button": 0,
        "onboarding_card_button": 0,
        "recent_activity_source_details_link": 0
      }
    },
    "apm": {
      "tasks": {
        "aggregated_transactions": {
          "took": {
            "ms": 4
          }
        },
        "cloud": {
          "took": {
            "ms": 4
          }
        },
        "environments": {
          "took": {
            "ms": 5
          }
        },
        "processor_events": {
          "took": {
            "ms": 69
          }
        },
        "agent_configuration": {
          "took": {
            "ms": 34
          }
        },
        "services": {
          "took": {
            "ms": 244
          }
        },
        "versions": {
          "took": {
            "ms": 3
          }
        },
        "groupings": {
          "took": {
            "ms": 17
          }
        },
        "integrations": {
          "took": {
            "ms": 4
          }
        },
        "agents": {
          "took": {
            "ms": 64
          }
        },
        "indices_stats": {
          "took": {
            "ms": 13
          }
        },
        "cardinality": {
          "took": {
            "ms": 34
          }
        }
      },
      "cloud": {
        "availability_zone": [],
        "provider": [],
        "region": []
      },
      "environments": {
        "services_without_environment": 0,
        "services_with_multiple_environments": 0,
        "top_environments": []
      },
      "counts": {
        "error": {
          "1_d": 0,
          "all": 0
        },
        "metric": {
          "1_d": 0,
          "all": 0
        },
        "span": {
          "1_d": 0,
          "all": 0
        },
        "transaction": {
          "1_d": 0,
          "all": 0
        },
        "onboarding": {
          "1_d": 0,
          "all": 0
        },
        "sourcemap": {
          "1_d": 0,
          "all": 0
        },
        "agent_configuration": {
          "all": 0
        },
        "max_error_groups_per_service": {
          "1_d": 0
        },
        "max_transaction_groups_per_service": {
          "1_d": 0
        },
        "traces": {
          "1_d": 0
        },
        "services": {
          "1_d": 0
        }
      },
      "has_any_services": false,
      "services_per_agent": {
        "dotnet": 0,
        "go": 0,
        "java": 0,
        "js_base": 0,
        "nodejs": 0,
        "python": 0,
        "ruby": 0,
        "rum_js": 0,
        "otlp": 0,
        "opentelemetry_cpp": 0,
        "opentelemetry_dotnet": 0,
        "opentelemetry_erlang": 0,
        "opentelemetry_go": 0,
        "opentelemetry_java": 0,
        "opentelemetry_nodejs": 0,
        "opentelemetry_php": 0,
        "opentelemetry_python": 0,
        "opentelemetry_ruby": 0,
        "opentelemetry_webjs": 0
      },
      "integrations": {
        "ml": {
          "all_jobs_count": 0
        }
      },
      "agents": {},
      "indices": {
        "shards": {
          "total": 1
        },
        "all": {
          "total": {
            "docs": {
              "count": 0
            },
            "store": {
              "size_bytes": 208
            }
          }
        }
      },
      "cardinality": {
        "client": {
          "geo": {
            "country_iso_code": {
              "rum": {
                "1_d": 0
              }
            }
          }
        },
        "transaction": {
          "name": {
            "all_agents": {
              "1_d": 0
            },
            "rum": {
              "1_d": 0
            }
          }
        },
        "user_agent": {
          "original": {
            "all_agents": {
              "1_d": 0
            },
            "rum": {
              "1_d": 0
            }
          }
        }
      }
    }
  },
  "cluster_uuid": "OBvw3MM7Tj6Hk1iFBrQPfg"
}

[afharo]

Thank you @legrego! Read-only Kibana administrator looks like a good compromise to me.

[afharo]

For the security changes, I've created #96536. Then the follow up to apply the changes in the telemetry endpoints #96538

[afharo]

I'll go ahead and close this discuss issue (feel free to reopen it if needed). Thanks all!