From 2426340d5609f2b6e09b5681a79f95c47d8ebcb1 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Fri, 22 Mar 2024 10:39:41 -0400
Subject: [PATCH] Manually backport  Refactor and update exisiting ml roles
 #4151

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 config/roles.yml                              | 23 +++++++++++++++++++
 .../security/DoNotFailOnForbiddenTests.java   |  3 ++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/config/roles.yml b/config/roles.yml
index efa83ed02e..b486abceef 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -271,17 +271,40 @@ cross_cluster_search_remote_full_access:
         - 'indices:admin/shards/search_shards'
         - 'indices:data/read/search'
 
+# Allow users to operate query assistant
+query_assistant_access:
+  reserved: true
+  cluster_permissions:
+      - 'cluster:admin/opensearch/ml/config/get'
+      - 'cluster:admin/opensearch/ml/execute'
+      - 'cluster:admin/opensearch/ml/predict'
+      - 'cluster:admin/opensearch/ppl'
+
 # Allow users to read ML stats/models/tasks
 ml_read_access:
   reserved: true
   cluster_permissions:
+    - 'cluster:admin/opensearch/ml/config/get'
     - 'cluster:admin/opensearch/ml/connectors/get'
     - 'cluster:admin/opensearch/ml/connectors/search'
+    - 'cluster:admin/opensearch/ml/controllers/get'
+    - 'cluster:admin/opensearch/ml/memory/conversation/get'
+    - 'cluster:admin/opensearch/ml/memory/conversation/interaction/search'
+    - 'cluster:admin/opensearch/ml/memory/conversation/list'
+    - 'cluster:admin/opensearch/ml/memory/conversation/search'
+    - 'cluster:admin/opensearch/ml/memory/interaction/get'
+    - 'cluster:admin/opensearch/ml/memory/interaction/list'
+    - 'cluster:admin/opensearch/ml/memory/trace/get'
+    - 'cluster:admin/opensearch/ml/model_groups/get'
     - 'cluster:admin/opensearch/ml/model_groups/search'
     - 'cluster:admin/opensearch/ml/models/get'
     - 'cluster:admin/opensearch/ml/models/search'
+    - 'cluster:admin/opensearch/ml/profile/nodes'
+    - 'cluster:admin/opensearch/ml/stats/nodes'
     - 'cluster:admin/opensearch/ml/tasks/get'
     - 'cluster:admin/opensearch/ml/tasks/search'
+    - 'cluster:admin/opensearch/ml/tools/get'
+    - 'cluster:admin/opensearch/ml/tools/list'
 
 # Allows users to use all ML functionality
 ml_full_access:
diff --git a/src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java b/src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java
index 3a50a4b1f6..8173fb70af 100644
--- a/src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java
+++ b/src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java
@@ -117,7 +117,8 @@ public class DoNotFailOnForbiddenTests {
             "indices:data/read/msearch",
             "indices:data/read/scroll",
             "cluster:monitor/state",
-            "cluster:monitor/health"
+            "cluster:monitor/health",
+            "cluster:monitor/term"
         )
             .indexPermissions(
                 "indices:data/read/search",