Permission issue with .plugins-ml-config

only19 · February 29, 2024, 7:15pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 12.2

Describe the issue:
I have OpenSearch version 12.2 installed, and I want to use the assistant feature. I already have my OpenAI model loaded, along with its respective connector and model group. I’ve also activated assistant.chat.enabled as required by this guide (dashboards-assistant/GETTING_STARTED_GUIDE.md at main · opensearch-project/dashboards-assistant · GitHub). The problem arises when I run this command:

PUT .plugins-ml-config/_doc/os_chat
{
  "type":"os_chat_root_agent",
  "configuration":{
    "agent_id": "xhIx9o0BgH1_aAmC2aFz"
  }
}

I get this error message:
{
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “no permissions for and User [name=admin, backend_roles=[admin], requestedTenant=user]”
}
],
“type”: “security_exception”,
“reason”: “no permissions for and User [name=admin, backend_roles=[admin], requestedTenant=user]”
},
“status”: 403
}

When I check the service logs, it shows me this specifically:

[2024-02-29T18:58:43,294][WARN ][o.o.s.p.SecurityIndexAccessEvaluator] [qxopensearch0-node1] indices:data/write/index for ‘.plugins-ml-config’ index is not allowed for a regular user

I’ve tried everything; I’ve created all the roles and permissions, but I can’t seem to execute the command to activate the agent

Configuration:

Relevant Logs or Screenshots:

pablo · February 29, 2024, 9:00pm

@only19 Please try with admin certificate and curl.
i.e.

curl --insecure --cert config/kirk.pem --key config/kirk-key.pem -H "Content-Type: application/json" -XPUT https://localhost:9200/.plugins-ml-config/_doc/os_chat -d '
 {
   "type":"os_chat_root_agent",
   "configuration":{
     "agent_id": "your root agent id"
   }
 }
 '

[opensearch@81f7a60a73c8 ~]$ curl --insecure --cert config/kirk.pem --key config/kirk-key.pem https://localhost:9200/.plugins-ml-config/_search?pretty                                                                                                                                                              {
  "took" : 772,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 2,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : ".plugins-ml-config",
        "_id" : "master_key",
        "_score" : 1.0,
        "_source" : {
          "master_key" : "J6HZA+eQd72/umG6IY/9L28X6oatsevTXirR/bOlNps=",
          "create_time" : 1709239265690
        }
      },
      {
        "_index" : ".plugins-ml-config",
        "_id" : "os_chat",
        "_score" : 1.0,
        "_source" : {
          "type" : "os_chat_root_agent",
          "configuration" : {
            "agent_id" : "your root agent id"
          }
        }
      }
    ]
  }
}

only19 · February 29, 2024, 10:37pm

Pablo, thank you very much for the help. I’ve really tried everything

Let me share the output of the first command with you.

[root@qxopensearch0 config]# curl --insecure --cert kirk.pem --key kirk-key.pem -H “Content-Type: application/json” -XPUT https://localhost:9200/.plugins-ml-config/_search?pretty -d ’

> > {
> >   "type":"os_chat_root_agent",
> >   "configuration":{
> >     "agent_id": "xhIx9o0BgH1_aAmC2aFz"
> >   }
> > }
> > '
{

"error" : "Incorrect HTTP method for uri [/.plugins-ml-config/_search?pretty] and method [PUT], allowed: [GET, POST]",
  "status" : 405
}

I also tried with the POST method, but it throws a syntax error. Anyway, that method doesn’t work for registering the agent

only19 · February 29, 2024, 10:38pm

Here is the output of the second command.

[root@qxopensearch0 config]# curl --insecure --cert kirk.pem --key kirk-key.pem https://localhost:9200/.plugins-ml-config/_search?pretty

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : ".plugins-Preformatted textml-config",
        "_id" : "master_key",
        "_score" : 1.0,
        "_source" : {
          "master_key" : "qvK3QM1S811MKGF+K6SeB2AqGJrFAMabbw95re+Tq3E=",
          "create_time" : 1709061173749
        }
      }
    ]
  }
}

pablo · February 29, 2024, 11:04pm

@only19 Sorry I’ve sent you incorrect URL.

Try with https://localhost:9200/.plugins-ml-config/_doc/os_chat instead.

I’ve just updated my last post.

rios0rios0 · September 20, 2024, 11:00pm

Why should we do that? Is there any explanation? Even logged as ADMIN, going via UI inside the Dev Tools gives the same error.

rios0rios0 · November 11, 2024, 11:18pm

Hi guys. I really need to solve this issue. Either by disabling this permission check, or doing another thing. Because I have automated configurations in place. So, I can’t use the certificates. Please, tell me what is the configuration to disable this configuration check, and allow me to use even the dev tools to perform the request.

Topic		Replies	Views
No permissions for user Security	38	6794	September 21, 2024
ISM and security permissions Security configure	8	62	August 15, 2024
Dashboards assistant "disabled"/grayed out OpenSearch Dashboards troubleshoot	2	237	May 3, 2024
Issues with event explorer and query assistant OpenSearch Dashboards	0	29	July 26, 2024
Opensearch-security-analytics plugin, permissions missing OpenSearch Dashboards troubleshoot	3	382	January 12, 2024

Permission issue with .plugins-ml-config

Related topics