no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]

[Somer Rabee]

Dear all,

I am trying to deploy the Llama3 model via the OpenSearch ML plugins and integrate it with the OpenSearch Assistant Chatbot.

The model deployment was successful. However, when attempting to create an agent to connect it to OpenSearch Assistant using the following request:

PUT .plugins-ml-config/_doc/os_chat
{
  "type": "os_chat_root_agent",
  "configuration": {
    "agent_id": "Agent-id"
  }
}

I received this error:

"error": {
  "root_cause": [
    {
      "type": "security_exception",
      "reason": "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
    }
  ]
}

After further investigation, I found that .plugins-ml-config is a system index and requires special permissions even for "Admin" user. I have tried various options based on both Wazuh and OpenSearch documentation, but without success.

Could you please provide any guidance or suggestions on how to resolve this error, or possible workarounds to enable creating an agent for OpenSearch Assistant?

i have tried a variety of options depending on Wazuh and Openseach documentations but no success.

any help or suggestion to solve this error or work around it?

Note: I'm using Wazuh 4.12

Regards.

[Chukwudalu Chisimdi Okonkwo]

Hello Somer, 

Although we do not have any guide yet on creating an agent for OpenSearch Assistant, let me research how you can gain permissions for the system index and revert with feedback.

[Somer Rabee]

Hi Chukwudalu,

Thanks for your kind reply.

I noticed in this Wazuh blog post — https://wazuh.com/blog/leveraging-claude-haiku-in-the-wazuh-dashboard-for-llm-powered-insights/ — that the same PUT .plugins-ml-config/_doc/os_chat command was used successfully. That suggests there is a method to obtain the necessary permissions for OpenSearch system indices.

Could you please advise how to grant the appropriate permissions (or point me to the exact steps) to allow creating an agent in .plugins-ml-config? Any guidance is much appreciated.

Thanks in advance,

[Chukwudalu Chisimdi Okonkwo]

Hello Sommer, 

Kindly enable the plugin indices as shown to enable the system indices in the attached image. The setting is on the path,   /etc/wazuh-indexer/opensearch.yml

Do let me know if this resolved the issue.

[Somer Rabee]

Hello Chukwudalu,

Thanks for your kind reply.

I was considering changing the parameter plugins.security.system_indices.enabled: false, but I was concerned about potential security risks, since these indices are protected for valid reasons according to the OpenSearch documentation.

My question is: would disabling this setting (plugins.security.system_indices.enabled: false) introduce any security issues if applied in a production environment?

Best regards,

[Chukwudalu Chisimdi Okonkwo]

Hello Somer, 

Your concerns are indeed valid. However, the risk involved is with a non priviledged user having access to read or modify the index settings, as the system indices security responsibility was handled by primarily handled by the opensearch. But by moving it to false, it removes the boundary for access to it

[Somer Rabee]

Hi Chukwudalu,

Setting the value of plugins.security.system_indices.enabled to false resolves the issue; however, I believe this introduces a potential security risk, so I wouldn’t recommend changing it in a production environment.

Is there an alternative solution that preserves the protection of system indices, or is disabling this parameter the only available option?

Thanks in advance

[Matías Mercado]

Hi Somer,

You should change the option to "false", make your changes, and then rollback to "true". That is only a quick trick to modify or fix this issue, but the options should always remain on "true".

Regards,
Matías.