Performing rerank inference requests with monitor_inference fails with authorization error #128328
Description
Elasticsearch Version
8.18.0, 9.0.0
Installed Plugins
No response
Java Version
bundled
OS Version
N/A
Problem Description
Performing rerank inference requests with a user that only has monitor_inference permissions fails.
Steps to Reproduce
Add some docs
PUT my_index/_doc/1?pretty
{
"title": "The Terminator",
"overview": "A cyborg is sent back in time to kill Sarah Connor."
}
PUT my_index/_doc/2?pretty
{
"title": "Terminator 2: Judgment Day",
"overview": "A cyborg is sent back in time to protect John Connor."
}
PUT my_index/_doc/3?pretty
{
"title": "Terminator Genisys",
"overview": "A cyborg is sent back in time to protect Sarah Connor."
}
Setup an inference entity that supports rerank
PUT _inference/rerank/coherererank
{
"service": "cohere",
"service_settings": {
"api_key": "<api key>",
"model_id": "rerank-v3.5"
}
}
Add a role and user with only monitor_inference
POST _security/role/test_read?pretty
{
"cluster": ["monitor_inference"],
"indices": [
{
"names": [
"my_index*"
],
"privileges": [
"read"
],
"allow_restricted_indices": false
}
]
}
POST _security/user/test_read_user?pretty
{
"password": "<password>",
"roles": [
"test_read"
]
}
Perform a rerank using the test_read_user
GET my_index/_search
{
"_source": [
"title"
],
"retriever": {
"text_similarity_reranker": {
"retriever": {
"standard": {
"query": {
"multi_match": {
"fields": [
"title",
"overview"
],
"query": "terminator arnold"
}
}
}
},
"field": "title",
"inference_text": "terminator arnold",
"inference_id": "coherererank"
}
}
}
Or perform an ESQL rerank using the test_read_user
POST /_query?format=txt
{
"query": "FROM my_index | KEEP title, overview | SORT title DESC | LIMIT 10 | RERANK \"terminator arnold\" ON title WITH coherererank"
}
Logs (if relevant)
Error
{
"error": {
"root_cause": [
{
"type": "status_exception",
"reason": "[text_similarity_reranker] search failed - retrievers '[standard]' returned errors. All failures are attached as suppressed exceptions.",
"suppressed": [
{
"type": "search_phase_execution_exception",
"reason": "Computing updated ranks for results failed",
"phase": "rank-feature",
"grouped": true,
"failed_shards": []
}
]
}
],
"type": "status_exception",
"reason": "[text_similarity_reranker] search failed - retrievers '[standard]' returned errors. All failures are attached as suppressed exceptions.",
"suppressed": [
{
"type": "search_phase_execution_exception",
"reason": "Computing updated ranks for results failed",
"phase": "rank-feature",
"grouped": true,
"failed_shards": [],
"caused_by": {
"type": "security_exception",
"reason": "action [cluster:internal/xpack/inference] is unauthorized for user [test_read_user] with effective roles [test_read], this action is granted by the cluster privileges [manage,all]"
}
}
]
},
"status": 403
}