Problem

Users cannot use QueryPlanningTool (Agentic Search) with the ml_full_access role. The tool requires index-level permissions that are not currently included in the role.

Background

QueryPlanningTool executes an async chain to gather context before generating queries:

Code: QueryPlanningTool.java:269-279

// async chain: getIndexMapping -> getSampleDoc -> call model
getIndexMappingAsync(parameters.get(INDEX_NAME_FIELD), ActionListener.wrap(indexMapping -> {
    parameters.put(INDEX_MAPPING_FIELD, gson.toJson(indexMapping));
    getSampleDocAsync(parameters.get(INDEX_NAME_FIELD), ActionListener.wrap(sampleDoc -> {
        parameters.put(SAMPLE_DOCUMENT_FIELD, gson.toJson(sampleDoc));
        queryGenerationTool.run(parameters, modelListener);

Step 1: Get Index Mapping

Calls client.admin().indices().getIndex() to retrieve index structure (field names, types).

Requires: indices:admin/get

Code: QueryPlanningTool.java:307-309

Step 2: Sample Document

Executes a search query with matchAllQuery() to get example documents.

Requires: indices:data/read/search*

Code: QueryPlanningTool.java:287-291

Current State

ml_full_access role (source):

ml_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns: ['*']
      allowed_actions:
        - 'indices_monitor'  # Only monitoring metrics

Behavior:

• Flow agents with QueryPlanningTool fail with: OpenSearchSecurityException: no permissions for [indices:admin/get]
• Adding only indices:admin/get causes failure at step 2 with: no permissions for [indices:data/read/search]
• Both permissions are required for the tool to function

Proposed Solutions

Option 1: Add permissions to ml_full_access

Add both required permissions to ml_full_access:

ml_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns: ['*']
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/get'          # For index mapping retrieval
        - 'indices:data/read/search*'  # For document sampling

Pros:

• Users expect ml_full_access to enable all ML features
• Single role for all ML functionality
• Aligns with naming convention ("full access")

Cons:

• Adds index read permissions to existing role
• Could bring behavior changes giving more permissions to some users after upgrade

Option 2: Create new agentic_search_access role (Not Recommended)

Create a separate role specifically for Agentic Search:

agentic_search_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns: ['*']
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/get'
        - 'indices:data/read/search*'

Pros:

• Doesn't modify existing role
• No security surprises after the upgrade(ml full access does not gran new permissions)

Cons:

• Fragments ML permissions - users need multiple roles for ML features
• Confusing naming - why doesn't "ml_full_access" include all ML features?