Permission issue with .plugins-ml-config

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 12.2

Describe the issue:
I have OpenSearch version 12.2 installed, and I want to use the assistant feature. I already have my OpenAI model loaded, along with its respective connector and model group. I’ve also activated assistant.chat.enabled as required by this guide (dashboards-assistant/GETTING_STARTED_GUIDE.md at main · opensearch-project/dashboards-assistant · GitHub). The problem arises when I run this command:

PUT .plugins-ml-config/_doc/os_chat
{
  "type":"os_chat_root_agent",
  "configuration":{
    "agent_id": "xhIx9o0BgH1_aAmC2aFz"
  }
}

I get this error message:
{
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “no permissions for and User [name=admin, backend_roles=[admin], requestedTenant=user]”
}
],
“type”: “security_exception”,
“reason”: “no permissions for and User [name=admin, backend_roles=[admin], requestedTenant=user]”
},
“status”: 403
}

When I check the service logs, it shows me this specifically:

[2024-02-29T18:58:43,294][WARN ][o.o.s.p.SecurityIndexAccessEvaluator] [qxopensearch0-node1] indices:data/write/index for ‘.plugins-ml-config’ index is not allowed for a regular user

I’ve tried everything; I’ve created all the roles and permissions, but I can’t seem to execute the command to activate the agent

Configuration:

Relevant Logs or Screenshots:

@only19 Please try with admin certificate and curl.
i.e.

curl --insecure --cert config/kirk.pem --key config/kirk-key.pem -H "Content-Type: application/json" -XPUT https://localhost:9200/.plugins-ml-config/_doc/os_chat -d '
 {
   "type":"os_chat_root_agent",
   "configuration":{
     "agent_id": "your root agent id"
   }
 }
 '
[opensearch@81f7a60a73c8 ~]$ curl --insecure --cert config/kirk.pem --key config/kirk-key.pem https://localhost:9200/.plugins-ml-config/_search?pretty                                                                                                                                                              {
  "took" : 772,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 2,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : ".plugins-ml-config",
        "_id" : "master_key",
        "_score" : 1.0,
        "_source" : {
          "master_key" : "J6HZA+eQd72/umG6IY/9L28X6oatsevTXirR/bOlNps=",
          "create_time" : 1709239265690
        }
      },
      {
        "_index" : ".plugins-ml-config",
        "_id" : "os_chat",
        "_score" : 1.0,
        "_source" : {
          "type" : "os_chat_root_agent",
          "configuration" : {
            "agent_id" : "your root agent id"
          }
        }
      }
    ]
  }
}

Pablo, thank you very much for the help. I’ve really tried everything

  • Let me share the output of the first command with you.

[root@qxopensearch0 config]# curl --insecure --cert kirk.pem --key kirk-key.pem -H “Content-Type: application/json” -XPUT https://localhost:9200/.plugins-ml-config/_search?pretty -d ’

> > {
> >   "type":"os_chat_root_agent",
> >   "configuration":{
> >     "agent_id": "xhIx9o0BgH1_aAmC2aFz"
> >   }
> > }
> > '
{
"error" : "Incorrect HTTP method for uri [/.plugins-ml-config/_search?pretty] and method [PUT], allowed: [GET, POST]",
  "status" : 405
}

I also tried with the POST method, but it throws a syntax error. Anyway, that method doesn’t work for registering the agent

Here is the output of the second command.

[root@qxopensearch0 config]# curl --insecure --cert kirk.pem --key kirk-key.pem https://localhost:9200/.plugins-ml-config/_search?pretty

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : ".plugins-Preformatted textml-config",
        "_id" : "master_key",
        "_score" : 1.0,
        "_source" : {
          "master_key" : "qvK3QM1S811MKGF+K6SeB2AqGJrFAMabbw95re+Tq3E=",
          "create_time" : 1709061173749
        }
      }
    ]
  }
}

@only19 Sorry I’ve sent you incorrect URL.

Try with https://localhost:9200/.plugins-ml-config/_doc/os_chat instead.

I’ve just updated my last post.

1 Like

Why should we do that? Is there any explanation? Even logged as ADMIN, going via UI inside the Dev Tools gives the same error.

Hi guys. I really need to solve this issue. Either by disabling this permission check, or doing another thing. Because I have automated configurations in place. So, I can’t use the certificates. Please, tell me what is the configuration to disable this configuration check, and allow me to use even the dev tools to perform the request.

To disable the check set plugins.security.system_indices.enabled to false in opensearch.yml

Direct system index access is discouraged. Use APIs instead.

1 Like

Thanks for your answer. Since I’m trying to configure the “.plugins-ml-config/_doc/os_chat” what would be the equivalent in API calls? But I’d prefer the option you gave me of disabling the security since there’s no other option in the docs?! Without disabling it, even the DevTools admin cannot perform the request. Understand what I mean?!