Skip to content

[Fleet] Consider allowing skipped agents in bulk action framework #238220

New issue
New issue
Open
Open
[Fleet] Consider allowing skipped agents in bulk action framework#238220
Labels
Team:FleetTeam label for Observability Data Collection Fleet team
@jillguyonnet

Description

@jillguyonnet
jillguyonnet
opened on Oct 9, 2025

Context

While implementing changes to the agent privilege level change API in Fleet in #237790, the question arose of how to handle agents that are already unprivileged (the API is one-way: it only allows changing the privilege level to unprivileged). We agreed that fast success made the most sense.

For the single agent endpoint (POST /api/fleet/agent/{agent_id}/privilege_level_change), a request for an already unprivileged agent will return fast with status 200 and an info message. No action is created in this case.

For the bulk (multiple agents) endpoint, this turned out to require a change in how bulk actions are formed. Currently, the result of actions is checked with the following parameters:

kibana/x-pack/platform/plugins/shared/fleet/common/types/models/agent.ts

Lines 179 to 203 in dc041ed

export interface ActionStatus {
actionId: string;
// how many agents are successfully included in action documents
nbAgentsActionCreated: number;
// how many agents acknowledged the action sucessfully (completed)
nbAgentsAck: number;
// how many agents failed
nbAgentsFailed: number;
version?: string;
startTime?: string;
type: AgentActionType;
// how many agents were actioned by the user
nbAgentsActioned: number;
status: 'COMPLETE' | 'EXPIRED' | 'CANCELLED' | 'FAILED' | 'IN_PROGRESS' | 'ROLLOUT_PASSED';
expiration?: string;
completionTime?: string;
cancellationTime?: string;
newPolicyId?: string;
creationTime: string;
hasRolloutPeriod?: boolean;
latestErrors?: ActionErrorResult[];
revision?: number;
policyId?: string;
is_automatic?: boolean;
}

We expect actioned agents to either have been included in actions or failed:

kibana/x-pack/platform/test/fleet_api_integration/apis/agents/helpers/index.ts

Line 34 in dc041ed

action.nbAgentsActioned === action.nbAgentsActionCreated + action.nbAgentsFailed

Since it wouldn't have been consistent to fail already unprivileged agents, we decided to let them be processed.

Relevant comments in the above PR:
#237790 (comment)
#237790 (comment)
#237790 (comment)
#237790 (comment)
#237790 (comment)
#237790 (comment)

Possible solution

If we want to allow "early success" (essentially skipping) in bulk actions, we would probably need an additional parameter, something like nbAgentsSkipped, such that

action.nbAgentsActioned === action.nbAgentsActionCreated + action.nbAgentsFailed + action.nbAgentsSkipped

We would need to review how the action results are presented to the user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:FleetTeam label for Observability Data Collection Fleet team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions