From 9290db3e713d8cf7bcbd65ef8a3004d4447ba898 Mon Sep 17 00:00:00 2001
From: John Mazanec <jmazane@amazon.com>
Date: Tue, 6 Dec 2022 09:59:57 -0800
Subject: [PATCH] Integrate k-NN functionality with security plugin (#2274)

Adds k-NN read only and full access roles to the default roles file.
Adds k-NN model index to demo for system index.

Signed-off-by: John Mazanec <jmazane@amazon.com>
(cherry picked from commit e7a120ccab9962fdb63710585ec83c13477dea13)
---
 config/roles.yml                     | 23 +++++++++++++++++++++++
 tools/install_demo_configuration.bat |  2 +-
 tools/install_demo_configuration.sh  |  2 +-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/config/roles.yml b/config/roles.yml
index 1d081a5fd0..29f6fcbe5d 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -68,6 +68,29 @@ anomaly_full_access:
         - 'indices:admin/aliases/get'
         - 'indices:admin/mappings/get'
 
+# Allow users to execute read only k-NN actions
+knn_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/knn_search_model_action'
+    - 'cluster:admin/knn_get_model_action'
+    - 'cluster:admin/knn_stats_action'
+
+# Allow users to use all k-NN functionality
+knn_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/knn_training_model_action'
+    - 'cluster:admin/knn_training_job_router_action'
+    - 'cluster:admin/knn_training_job_route_decision_info_action'
+    - 'cluster:admin/knn_warmup_action'
+    - 'cluster:admin/knn_delete_model_action'
+    - 'cluster:admin/knn_remove_model_from_cache_action'
+    - 'cluster:admin/knn_update_model_graveyard_action'
+    - 'cluster:admin/knn_search_model_action'
+    - 'cluster:admin/knn_get_model_action'
+    - 'cluster:admin/knn_stats_action'
+
 # Allows users to read Notebooks
 notebooks_read_access:
   reserved: true
diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat
index 410df30b08..06fbf5ec51 100755
--- a/tools/install_demo_configuration.bat
+++ b/tools/install_demo_configuration.bat
@@ -315,7 +315,7 @@ echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CO
 echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
-echo plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] >> "%OPENSEARCH_CONF_FILE%"
+echo plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"] >> "%OPENSEARCH_CONF_FILE%"
 
 :: network.host
 >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh
index bff93c3a6a..fad75c5cdf 100755
--- a/tools/install_demo_configuration.sh
+++ b/tools/install_demo_configuration.sh
@@ -377,7 +377,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee
 echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
-echo 'plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
+echo 'plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 
 #network.host
 if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then