Add indices:admin/get and indices:data/read/search permissions to ml_full_access role for Agentic Search

[rithinpullela]

Problem

Users cannot use QueryPlanningTool (Agentic Search) with the ml_full_access role. The tool requires index-level permissions that are not currently included in the role.

Background

QueryPlanningTool executes an async chain to gather context before generating queries:

Code: QueryPlanningTool.java:269-279

// async chain: getIndexMapping -> getSampleDoc -> call model
getIndexMappingAsync(parameters.get(INDEX_NAME_FIELD), ActionListener.wrap(indexMapping -> {
    parameters.put(INDEX_MAPPING_FIELD, gson.toJson(indexMapping));
    getSampleDocAsync(parameters.get(INDEX_NAME_FIELD), ActionListener.wrap(sampleDoc -> {
        parameters.put(SAMPLE_DOCUMENT_FIELD, gson.toJson(sampleDoc));
        queryGenerationTool.run(parameters, modelListener);

Step 1: Get Index Mapping

Calls client.admin().indices().getIndex() to retrieve index structure (field names, types).

Requires: indices:admin/get

Code: QueryPlanningTool.java:307-309

Step 2: Sample Document

Executes a search query with matchAllQuery() to get example documents.

Requires: indices:data/read/search*

Code: QueryPlanningTool.java:287-291

Current State

ml_full_access role (source):

ml_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns: ['*']
      allowed_actions:
        - 'indices_monitor'  # Only monitoring metrics

Behavior:

• Flow agents with QueryPlanningTool fail with: OpenSearchSecurityException: no permissions for [indices:admin/get]
• Adding only indices:admin/get causes failure at step 2 with: no permissions for [indices:data/read/search]
• Both permissions are required for the tool to function

Proposed Solutions

Option 1: Add permissions to ml_full_access

Add both required permissions to ml_full_access:

ml_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns: ['*']
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/get'          # For index mapping retrieval
        - 'indices:data/read/search*'  # For document sampling

Pros:

• Users expect ml_full_access to enable all ML features
• Single role for all ML functionality
• Aligns with naming convention ("full access")

Cons:

• Adds index read permissions to existing role
• Could bring behavior changes giving more permissions to some users after upgrade

Option 2: Create new agentic_search_access role (Not Recommended)

Create a separate role specifically for Agentic Search:

agentic_search_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns: ['*']
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/get'
        - 'indices:data/read/search*'

Pros:

• Doesn't modify existing role
• No security surprises after the upgrade(ml full access does not gran new permissions)

Cons:

• Fragments ML permissions - users need multiple roles for ML features
• Confusing naming - why doesn't "ml_full_access" include all ML features?

[owaiskazi19]

@cwperks can you take a look at this and let us know which option would you recommend from security side?

[cwperks]

@owaiskazi19 maybe both + documentation? We definitely would want documentation for those creating custom roles where the role is scoped to less than * index pattern.

I don't think its wonderful that the default roles use * in index_permissions, but I get that they were added in the past for simplicity.

I actually see agentic search as a different way to do search, similar to _scroll, PIT, or search with a template.

Let's take for example search with a template:

PUT _plugins/_security/api/roles/search_template_reader
{
  "cluster_permissions": [],
  "index_permissions": [
    {
      "index_patterns": [
        "my-index-*"
      ],
      "allowed_actions": [
        "indices:data/read/search*",
        "indices:data/read/search/template"
      ]
    }
  ],
  "tenant_permissions": []
}

Its essentially indices:data/read/search* with an index-pattern for base-level search. Then to do other styles of search you need to add the additional requisite permissions.

For agentic search it needs index mappings, hence needing indices:admin/get

[owaiskazi19]

We are using GetIndexRequest only to fetch mapping from the response here. That means we can change the request to GetMappingRequest and add indices:admin/mappings/get to the ml_full_access role

[owaiskazi19]

Raised #4785 on ml-comons and opensearch-project/security#6076 on security plugin side. @rithinpullela @cwperks can you review it