From 0174adb276edc2cdcb94e5622e039903571816b6 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 20:06:39 -0400 Subject: [PATCH] [Backport 2.x] Add query assistant role and new ml system indices (#4142) Backport 633ff9b30cd34acfb81a264fc49b3d716dd89c64 from #4141. Signed-off-by: Sicheng Song Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] --- config/roles.yml | 9 +++++++++ .../tools/democonfig/SecuritySettingsConfigurer.java | 2 ++ 2 files changed, 11 insertions(+) diff --git a/config/roles.yml b/config/roles.yml index 7428b46c5c..59e74f1a05 100644 --- a/config/roles.yml +++ b/config/roles.yml @@ -271,6 +271,15 @@ cross_cluster_search_remote_full_access: - 'indices:admin/shards/search_shards' - 'indices:data/read/search' +# Allow users to operate query assistant +ml_query_assistant_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/execute' + - 'cluster:admin/opensearch/ml/memory/conversation/create' + - 'cluster:admin/opensearch/ml/memory/interaction/create' + - 'cluster:admin/opensearch/ml/predict' + # Allow users to read ML stats/models/tasks ml_read_access: reserved: true diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java index 5b497d0f20..66e9ace47a 100644 --- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java +++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java @@ -48,8 +48,10 @@ public class SecuritySettingsConfigurer { static final List REST_ENABLED_ROLES = List.of("all_access", "security_rest_api_access"); static final List SYSTEM_INDICES = List.of( + ".plugins-ml-agent", ".plugins-ml-config", ".plugins-ml-connector", + ".plugins-ml-controller", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task",