[metricbeat/system] Modify the default value based on the group membership.

[VihasMakwana]

Whether to use performance counters or not needs to become an explicit configuration exposed in the system integration as well as the module. Because this is configuration, in theory in the agent tests affected by this an agent PR that sets his same configuration to false could be made directly in agent so we don't have to wait for a new DRA build. Since it isn't in the integration yet, the fleet overrides API could be used.

Ideally, we would add ourselves to the Performance Monitor Users group automatically, but this will not help agents that were already installed, so we need a way to handle that. Maybe just having it be configurable with the default value controlled by whether we are in the right group.

The DataDog agent installer adds itself to the performance monitor users group and some others for example https://docs.datadoghq.com/agent/guide/windows-agent-ddagent-user/

Originally posted by @cmacknz in #42041 (comment)

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[VihasMakwana]

From internal discussions,

I had a similar thing in mind, but in a broader way.
We can have a feature flag, let's say flagX . If the user enables unprivileged mode and if the flagX is enabled, we can add the elastic-agent user to necessary groups. Currently, the user needs to add the user manually to groups.

@cmacknz 's response:

What I remember is that we considered that unprivileged should have no permissions, and users had to manually add them back in. If they wanted things to work by default, they could use privileged.
This misses the in between use case of “I don’t want to be root/admin but I also want it to work by default”. So we need some discussion on this.

---

@cmacknz As you mentioned, the case with performance counters make it complicated. As unprivileged mode was designed to be run with minimal configurations, I wonder how do we progress with this?

[cmacknz]

CC @flexitrev @nimarezainia

[cmacknz]

The core problem is we can't enable use of performance counters by default for unprivileged agents without adding those agents to the Performance Monitor Users group automatically. This makes us not unprivileged as in zero privileges.

If we don't do this automatically, using performance counters by default will break the core and cpu metricsets in the system module for unprivileged installations when we switch. We can fall back to the old way of collecting metrics in this case today, but then we have to maintain two ways to collect these metrics indefinitely which I don't want to do.

Switching to perf counters by default, but keeping the option to avoid using them and documenting that is the path of least resistance but has a maintenance cost for us.

[flexitrev]

Path of least resistance works for me, it doesn't strike me that the maintenance burden here will be especially large, and we are constrained by system modules for privileges.