Manually backport Refactor and update exisiting ml roles opensearch-p…

…roject#4151

Signed-off-by: Stephen Crawford <[email protected]>

config/roles.yml

@@ -271,17 +271,40 @@ cross_cluster_search_remote_full_access:
         - 'indices:admin/shards/search_shards'
         - 'indices:data/read/search'
 
+# Allow users to operate query assistant
+query_assistant_access:
+  reserved: true
+  cluster_permissions:
+      - 'cluster:admin/opensearch/ml/config/get'
+      - 'cluster:admin/opensearch/ml/execute'
+      - 'cluster:admin/opensearch/ml/predict'
+      - 'cluster:admin/opensearch/ppl'
+
 # Allow users to read ML stats/models/tasks
 ml_read_access:
   reserved: true
   cluster_permissions:
+    - 'cluster:admin/opensearch/ml/config/get'
     - 'cluster:admin/opensearch/ml/connectors/get'
     - 'cluster:admin/opensearch/ml/connectors/search'
+    - 'cluster:admin/opensearch/ml/controllers/get'
+    - 'cluster:admin/opensearch/ml/memory/conversation/get'
+    - 'cluster:admin/opensearch/ml/memory/conversation/interaction/search'
+    - 'cluster:admin/opensearch/ml/memory/conversation/list'
+    - 'cluster:admin/opensearch/ml/memory/conversation/search'
+    - 'cluster:admin/opensearch/ml/memory/interaction/get'
+    - 'cluster:admin/opensearch/ml/memory/interaction/list'
+    - 'cluster:admin/opensearch/ml/memory/trace/get'
+    - 'cluster:admin/opensearch/ml/model_groups/get'
     - 'cluster:admin/opensearch/ml/model_groups/search'
     - 'cluster:admin/opensearch/ml/models/get'
     - 'cluster:admin/opensearch/ml/models/search'
+    - 'cluster:admin/opensearch/ml/profile/nodes'
+    - 'cluster:admin/opensearch/ml/stats/nodes'
     - 'cluster:admin/opensearch/ml/tasks/get'
     - 'cluster:admin/opensearch/ml/tasks/search'
+    - 'cluster:admin/opensearch/ml/tools/get'
+    - 'cluster:admin/opensearch/ml/tools/list'
 
 # Allows users to use all ML functionality
 ml_full_access:

src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java

@@ -117,7 +117,8 @@ public class DoNotFailOnForbiddenTests {
             "indices:data/read/msearch",
             "indices:data/read/scroll",
             "cluster:monitor/state",
-            "cluster:monitor/health"
+            "cluster:monitor/health",
+            "cluster:monitor/term"
         )
             .indexPermissions(
                 "indices:data/read/search",