Onboard KNN Plugin features into security

[jmazanec15]

Related to #2256

We would like to integrate the k-NN plugin functionality with security.

For k-NN, we have several APIs. Listed below are the apis, the roles we want to assign the apis (and there all of the actions) and the actions:

1. SearchModel (role: knn_read_access)
   cluster:admin/knn_search_model_action
2. TrainModel (role: knn_full_access)
   cluster:admin/knn_training_model_action
   cluster:admin/knn_training_job_router_action
   cluster:admin/knn_training_job_route_decision_info_action
3. Warmup (role: knn_full_access)
   cluster:admin/knn_warmup_action
4. DeleteModel (role: knn_full_access)
   cluster:admin/knn_delete_model_action
   cluster:admin/knn_remove_model_from_cache_action
   cluster:admin/knn_update_model_graveyard_action
5. GetModel (role: knn_read_access)
   cluster:admin/knn_get_model_action
6. Stats (role: knn_read_access)
   cluster:admin/knn_stats_action

In order to create these roles, do I just need to update:

1. https://github.com/opensearch-project/security/blob/main/config/roles.yml
2. https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/apps/configuration/constants.tsx#L32

In addition, we have 1 system index: ".opensearch-knn-models". Is there anything we should do in particular in security plugin for this? Do we need to add it to a sample config anywhere?

[cwperks]

Hi @jmazanec15, I recommend following the same pattern as other recently introduced plugins where the convention is adding new reserved roles in roles.yml. See https://github.com/opensearch-project/security/blob/main/config/roles.yml#L259-L286 for recently introduced reserved roles for security analytics in 2.4.0.

If you would like actions to be assignable to custom roles than add the roles that can be assignable to https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/apps/configuration/constants.tsx.

For system index protection, the index needs to be added to opensearch.yml. These are relevant lines in the demo configuration for opensearch.yml in the most recent release 2.4.0.

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

You can edit the install_demo_configuration.[sh|bat] here: https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh#L381

[jmazanec15]

Thanks @cwperks . I raised PR #2274. Still working on testing changes - but will switch out of draft mode once Im able to do this.

[RyanL1997]

[Triaged] @jmazanec15 Thanks for filing this. Could you please provide which version you wanna go in with this feature?

[gaiksaya]

Hi @opensearch-project/security,
This issue was tagged for 2.6.0. Can you close it if it was resolved or tag is to be tracked for next iteration?
Thanks!

[cwperks]

Re-labeling as 2.7.0. This had to be rolled back and wasn't included in 2.6.0.

[davidlago]

@jmazanec15 same question as in #2478, with 2.7 code freeze coming up, want to make sure you are getting the support you need to get the needed changes in.

[jmazanec15]

@martin-gaievski has been working on this. He merged the necessary change into 2.7: opensearch-project/k-NN#849. I will let him confirm if everything is working.

[davidlago]

Thanks for the update, @jmazanec15. Please re-open if you still think there is something here for security to address.