Skip to content

Commit

Permalink
Integrate k-NN functionality with security plugin (#2274)
Browse files Browse the repository at this point in the history 
Adds k-NN read only and full access roles to the default roles file.
Adds k-NN model index to demo for system index.

Signed-off-by: John Mazanec <jmazane@amazon.com>
(cherry picked from commit e7a120c)
  • Loading branch information
@jmazanec15 @github-actions
jmazanec15 authored and github-actions[bot] committed Feb 21, 2023
1 parent 87990cd commit 9290db3
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 2 deletions.
23 changes: 23 additions & 0 deletions config/roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,29 @@ anomaly_full_access:
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'

# Allow users to execute read only k-NN actions
knn_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/knn_search_model_action'
- 'cluster:admin/knn_get_model_action'
- 'cluster:admin/knn_stats_action'

# Allow users to use all k-NN functionality
knn_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/knn_training_model_action'
- 'cluster:admin/knn_training_job_router_action'
- 'cluster:admin/knn_training_job_route_decision_info_action'
- 'cluster:admin/knn_warmup_action'
- 'cluster:admin/knn_delete_model_action'
- 'cluster:admin/knn_remove_model_from_cache_action'
- 'cluster:admin/knn_update_model_graveyard_action'
- 'cluster:admin/knn_search_model_action'
- 'cluster:admin/knn_get_model_action'
- 'cluster:admin/knn_stats_action'

# Allows users to read Notebooks
notebooks_read_access:
reserved: true
Expand Down
2 changes: 1 addition & 1 deletion tools/install_demo_configuration.bat
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,7 @@ echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CO
echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%"
echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%"
echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
echo plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] >> "%OPENSEARCH_CONF_FILE%"
echo plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"] >> "%OPENSEARCH_CONF_FILE%"

:: network.host
>nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
Expand Down
2 changes: 1 addition & 1 deletion tools/install_demo_configuration.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee
echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
echo 'plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
echo 'plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null

#network.host
if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then
Expand Down

0 comments on commit 9290db3

Please sign in to comment.