From 2e96b9528910e60da627d1263372953c691c86dd Mon Sep 17 00:00:00 2001
From: Lee Rowlands <lee.rowlands@previousnext.com.au>
Date: Wed, 4 Feb 2026 07:25:00 +1000
Subject: [PATCH 1/3] Add read-only perms for ML

See https://docs.opensearch.org/latest/ml-commons-plugin/model-sharing-access-control/#ml_read_only
---
 2.x/roles.yml | 2 ++
 3.x/roles.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/2.x/roles.yml b/2.x/roles.yml
index 081f517..3bd5b8a 100644
--- a/2.x/roles.yml
+++ b/2.x/roles.yml
@@ -18,6 +18,8 @@ writer:
     - "indices:data/read/msearch"
     - "indices:data/read/scroll"
     - "indices:data/read/scroll/clear"
+    - "cluster:admin/opensearch/ml/models/get"
+    - "cluster:admin/opensearch/ml/model_groups/get"
   index_permissions:
     - index_patterns:
         - "local_*"
diff --git a/3.x/roles.yml b/3.x/roles.yml
index 081f517..3bd5b8a 100644
--- a/3.x/roles.yml
+++ b/3.x/roles.yml
@@ -18,6 +18,8 @@ writer:
     - "indices:data/read/msearch"
     - "indices:data/read/scroll"
     - "indices:data/read/scroll/clear"
+    - "cluster:admin/opensearch/ml/models/get"
+    - "cluster:admin/opensearch/ml/model_groups/get"
   index_permissions:
     - index_patterns:
         - "local_*"

From 483425c92e902f5b303c46a2d255dad9149ae9c1 Mon Sep 17 00:00:00 2001
From: Lee Rowlands <lee.rowlands@previousnext.com.au>
Date: Wed, 4 Feb 2026 08:55:00 +1000
Subject: [PATCH 2/3] And analyze permission

---
 2.x/roles.yml | 1 +
 3.x/roles.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/2.x/roles.yml b/2.x/roles.yml
index 3bd5b8a..58452d8 100644
--- a/2.x/roles.yml
+++ b/2.x/roles.yml
@@ -24,6 +24,7 @@ writer:
     - index_patterns:
         - "local_*"
       allowed_actions:
+        - "indices:admin/analyze"
         - "indices:admin/create"
         - "indices:admin/get"
         - "indices:admin/delete"
diff --git a/3.x/roles.yml b/3.x/roles.yml
index 3bd5b8a..58452d8 100644
--- a/3.x/roles.yml
+++ b/3.x/roles.yml
@@ -24,6 +24,7 @@ writer:
     - index_patterns:
         - "local_*"
       allowed_actions:
+        - "indices:admin/analyze"
         - "indices:admin/create"
         - "indices:admin/get"
         - "indices:admin/delete"

From 6323cfa454781cb68df9aaf15000732521f0018b Mon Sep 17 00:00:00 2001
From: Lee Rowlands <lee.rowlands@previousnext.com.au>
Date: Wed, 4 Feb 2026 09:13:19 +1000
Subject: [PATCH 3/3] Add predict

---
 2.x/roles.yml | 1 +
 3.x/roles.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/2.x/roles.yml b/2.x/roles.yml
index 58452d8..a423ace 100644
--- a/2.x/roles.yml
+++ b/2.x/roles.yml
@@ -20,6 +20,7 @@ writer:
     - "indices:data/read/scroll/clear"
     - "cluster:admin/opensearch/ml/models/get"
     - "cluster:admin/opensearch/ml/model_groups/get"
+    - "cluster:admin/opensearch/ml/predict"
   index_permissions:
     - index_patterns:
         - "local_*"
diff --git a/3.x/roles.yml b/3.x/roles.yml
index 58452d8..a423ace 100644
--- a/3.x/roles.yml
+++ b/3.x/roles.yml
@@ -20,6 +20,7 @@ writer:
     - "indices:data/read/scroll/clear"
     - "cluster:admin/opensearch/ml/models/get"
     - "cluster:admin/opensearch/ml/model_groups/get"
+    - "cluster:admin/opensearch/ml/predict"
   index_permissions:
     - index_patterns:
         - "local_*"