From ec400e29d51f19beb89fced7b67a8e901365e080 Mon Sep 17 00:00:00 2001
From: Amit Galitzky <amgalitz@amazon.com>
Date: Fri, 15 Dec 2023 12:45:12 -0800
Subject: [PATCH] Add flow framework system indices and roles (#3851)

### Description
Adds 2 flow-framework related roles to the plugin: read only and fully
access.
Adds flow-framework system indices to demo scripts as well.

### Issues Resolved

### Testing
manual testing of roles

### Check List
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Amit Galitzky <amgalitz@amazon.com>
---
 config/roles.yml                              | 23 +++++++++++++++++++
 .../SecuritySettingsConfigurer.java           |  5 +++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/config/roles.yml b/config/roles.yml
index 800913949d..d56ea617f5 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -372,3 +372,26 @@ security_analytics_ack_alerts:
   reserved: true
   cluster_permissions:
     - 'cluster:admin/opensearch/securityanalytics/alerts/*'
+
+# Allows users to use all Flow Framework functionality
+flow_framework_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opensearch/flow_framework/*'
+    - 'cluster_monitor'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mappings/get'
+        - 'indices_monitor'
+
+# Allow users to read flow framework's workflows and their state
+flow_framework_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opensearch/flow_framework/workflow/get'
+    - 'cluster:admin/opensearch/flow_framework/workflow/search'
+    - 'cluster:admin/opensearch/flow_framework/workflow_state/get'
+    - 'cluster:admin/opensearch/flow_framework/workflow_state/search'
diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index b3644e6c4d..116373a38f 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -69,7 +69,10 @@ public class SecuritySettingsConfigurer {
         ".opendistro-asynchronous-search-response*",
         ".replication-metadata-store",
         ".opensearch-knn-models",
-        ".geospatial-ip2geo-data*"
+        ".geospatial-ip2geo-data*",
+        ".plugins-flow-framework-config",
+        ".plugins-flow-framework-templates",
+        ".plugins-flow-framework-state"
     );
     static String ADMIN_PASSWORD = "";
     static String ADMIN_USERNAME = "admin";