Update forecast roles and permissions

The forecast_read_access and forecast_full_access roles in config/roles.yml have been updated with the correct permissions for the forecasting feature. Forecasting system indices have been added in https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/java/org/opensearch/timeseries/TimeSeriesAnalyticsPlugin.java#L1722

Signed-off-by: Kaituo Li <[email protected]>

Author: kaituo

CHANGELOG.md

@@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add flush cache endpoint for individual user ([#5337](https://github.com/opensearch-project/security/pull/5337))
 - Handle roles in nested claim for JWT auth backends ([#5355](https://github.com/opensearch-project/security/pull/5355))
 - Integrate search-relevance functionalities with security plugin ([#5376](https://github.com/opensearch-project/security/pull/5376))
+- Add forecast roles and permissions ([#5386](https://github.com/opensearch-project/security/pull/5386))
 
 ### Changed
 - Use extendedPlugins in integrationTest framework for sample resource plugin testing ([#5322](https://github.com/opensearch-project/security/pull/5322))

config/roles.yml

@@ -460,17 +460,17 @@ query_insights_full_access:
 
 # Allow users to execute read only LTR actions
 ltr_read_access:
-    reserved: true
-    cluster_permissions:
-      - cluster:admin/ltr/caches/stats
-      - cluster:admin/ltr/featurestore/list
-      - cluster:admin/ltr/stats
+  reserved: true
+  cluster_permissions:
+    - cluster:admin/ltr/caches/stats
+    - cluster:admin/ltr/featurestore/list
+    - cluster:admin/ltr/stats
 
 # Allow users to execute all LTR actions
 ltr_full_access:
-    reserved: true
-    cluster_permissions:
-      - cluster:admin/ltr/*
+  reserved: true
+  cluster_permissions:
+    - cluster:admin/ltr/*
 
 # Allow users to use all Search Relevance functionalities
 search_relevance_full_access:
@@ -492,3 +492,45 @@ search_relevance_read_access:
     - 'cluster:admin/opensearch/search_relevance/judgment/get'
     - 'cluster:admin/opensearch/search_relevance/queryset/get'
     - 'cluster:admin/opensearch/search_relevance/search_configuration/get'
+
+# Allow users to read Forecast resources
+forecast_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/plugin/forecast/forecaster/info'
+    - 'cluster:admin/plugin/forecast/forecaster/stats'
+    - 'cluster:admin/plugin/forecast/forecaster/suggest'
+    - 'cluster:admin/plugin/forecast/forecaster/validate'
+    - 'cluster:admin/plugin/forecast/forecasters/get'
+    - 'cluster:admin/plugin/forecast/forecasters/info'
+    - 'cluster:admin/plugin/forecast/forecasters/search'
+    - 'cluster:admin/plugin/forecast/result/topForecasts'
+    - 'cluster:admin/plugin/forecast/tasks/search'
+  index_permissions:
+    - index_patterns:
+        - 'opensearch-forecast-result*'
+      allowed_actions:
+        - 'indices:admin/mappings/fields/get*'
+        - 'indices:admin/resolve/index'
+        - 'indices:data/read*'
+
+# Allows users to use all Forecasting functionality
+forecast_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/plugin/forecast/*'
+    - 'cluster:admin/settings/update'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mapping/get'
+        - 'indices:admin/mapping/put'
+        - 'indices:admin/mappings/fields/get*'
+        - 'indices:admin/resolve/index'
+        - 'indices:data/read*'
+        - 'indices:data/read/field_caps*'
+        - 'indices:data/read/search'
+        - 'indices:data/write*'
+        - 'indices_monitor'