Introduce Insights API

[jackiehanyang]

Description

• Introducing a new Insights API
  • POST /_plugins/_anomaly_detection/insights/_start - Start insights job
  • GET /_plugins/_anomaly_detection/insights/_status - Get insights job status
  • GET /_plugins/_anomaly_detection/insights/_results - Get latest insights results
  • POST /_plugins/_anomaly_detection/insights/_stop - Stop insights job
• Introducing ml-commons metrics correlation runtime dependency
  • sending anomaly results to ml-commons metrics correlation algorithm to analyze
  • write analyze results into insights-results index
  • frontend will read from this index to display insights on dashboard

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[kaituo]

CI failed due to jacoco changes in build.gradle. Not sure how to fix. One naive way is to add correlation request, response, and Action in AD to avoid ml-commons dependency.

* What went wrong:
Execution failed for task ':jacocoTestCoverageVerification'.
> A failure occurred while executing org.gradle.internal.jacoco.JacocoCoverageAction
   > Rule violated for class org.opensearch.ad.AnomalyDetectorRunner: branches covered ratio is 0.35, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.AnomalyDetectorRunner: lines covered ratio is 0.47, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.util.ModelUtil: branches covered ratio is 0.32, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.util.ModelUtil: lines covered ratio is 0.48, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.util.DataUtil: lines covered ratio is 0.72, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.feature.AbstractRetriever: branches covered ratio is 0.55, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.feature.AbstractRetriever: lines covered ratio is 0.63, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.feature.SearchFeatureDao: branches covered ratio is 0.28, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.feature.SearchFeatureDao: lines covered ratio is 0.59, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.handler.ModelValidationActionHandler: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.handler.ModelValidationActionHandler: lines covered ratio is 0.00, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.handler.ConfigUpdateConfirmer: branches covered ratio is 0.06, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.handler.ConfigUpdateConfirmer: lines covered ratio is 0.19, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.handler.AggregationPrep: branches covered ratio is 0.36, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.handler.AggregationPrep: lines covered ratio is 0.40, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.handler.IntervalCalculation: branches covered ratio is 0.06, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.handler.IntervalCalculation: lines covered ratio is 0.18, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.handler.LatestTimeRetriever: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.handler.LatestTimeRetriever: lines covered ratio is 0.00, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.handler.IntervalCalculation.IntervalRecommendationListener: branches covered ratio is 0.37, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.handler.IntervalCalculation.IntervalRecommendationListener: lines covered ratio is 0.55, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.ratelimit.ColdStartWorker: branches covered ratio is 0.45, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.ratelimit.ColdStartWorker: lines covered ratio is 0.73, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.transport.SuggestAnomalyDetectorParamTransportAction: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.transport.SuggestAnomalyDetectorParamTransportAction: lines covered ratio is 0.11, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.transport.ADSuggestName: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.transport.ADSuggestName: lines covered ratio is 0.57, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.transport.ADResultProcessor: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.transport.ADResultProcessor: lines covered ratio is 0.61, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.model.InitProgressProfile: branches covered ratio is 0.50, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.model.IntervalTimeConfiguration: branches covered ratio is 0.50, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.ml.MLCommonsClient: lines covered ratio is 0.62, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.RestValidateAction: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.RestValidateAction: lines covered ratio is 0.26, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.RestJobAction: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.rest.RestJobAction: lines covered ratio is 0.25, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.rest.AbstractSearchAction: lines covered ratio is 0.60, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.transport.SuggestConfigParamResponse: branches covered ratio is 0.59, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.transport.SuggestConfigParamRequest: branches covered ratio is 0.50, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.transport.SuggestConfigParamRequest: lines covered ratio is 0.68, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.transport.SuggestConfigParamResponse.Builder: lines covered ratio is 0.57, but expected minimum is 0.75
     Rule violated for class org.opensearch.timeseries.transport.handler.IndexMemoryPressureAwareResultHandler: branches covered ratio is 0.54, but expected minimum is 0.60
     Rule violated for class org.opensearch.timeseries.transport.handler.IndexMemoryPressureAwareResultHandler: lines covered ratio is 0.68, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.ratelimit.ADSaveResultStrategy: branches covered ratio is 0.43, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.ratelimit.ADSaveResultStrategy: lines covered ratio is 0.53, but expected minimum is 0.75

[kaituo]

partial review

[kaituo]

partial review

[kaituo]

CI failed due to:

* What went wrong:
Execution failed for task ':jacocoTestCoverageVerification'.
> A failure occurred while executing org.gradle.internal.jacoco.JacocoCoverageAction
   > Rule violated for class org.opensearch.ad.InsightsJobProcessor.CorrelationPayload: lines covered ratio is 0.00, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.InsightsJobProcessor: branches covered ratio is 0.28, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.InsightsJobProcessor: lines covered ratio is 0.45, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.ml.InsightsGenerator: branches covered ratio is 0.00, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.ml.InsightsGenerator: lines covered ratio is 0.00, but expected minimum is 0.75
     Rule violated for class org.opensearch.ad.indices.ADIndexManagement: branches covered ratio is 0.33, but expected minimum is 0.60
     Rule violated for class org.opensearch.ad.indices.ADIndexManagement: lines covered ratio is 0.67, but expected minimum is 0.75

[codecov]

Codecov Report

❌ Patch coverage is 74.10636% with 297 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.96%. Comparing base (514d9e7) to head (b380dc1).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...n/java/org/opensearch/ad/InsightsJobProcessor.java	75.90%	87 Missing and 33 partials ⚠️
...arch/ad/rest/handler/InsightsJobActionHandler.java	49.31%	102 Missing and 9 partials ⚠️
...n/java/org/opensearch/ad/ml/InsightsGenerator.java	82.92%	6 Missing and 15 partials ⚠️
...opensearch/timeseries/indices/IndexManagement.java	61.76%	10 Missing and 3 partials ⚠️
...a/org/opensearch/ad/indices/ADIndexManagement.java	77.08%	9 Missing and 2 partials ⚠️
.../org/opensearch/ad/rest/RestInsightsJobAction.java	77.77%	3 Missing and 5 partials ⚠️
...earch/timeseries/transport/InsightsJobRequest.java	78.12%	4 Missing and 3 partials ⚠️
...earch/ad/transport/InsightsJobTransportAction.java	80.95%	3 Missing and 1 partial ⚠️
...g/opensearch/ad/transport/InsightsJobResponse.java	97.89%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1610      +/-   ##
============================================
- Coverage     81.24%   80.96%   -0.28%     
- Complexity     6231     6424     +193     
============================================
  Files           544      554      +10     
  Lines         25323    26447    +1124     
  Branches       2621     2716      +95     
============================================
+ Hits          20573    21414     +841     
- Misses         3436     3650     +214     
- Partials       1314     1383      +69     

Flag	Coverage Δ
plugin	80.96% <74.10%> (-0.28%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
.../java/org/opensearch/ad/constant/ADCommonName.java	0.00% <ø> (ø)
...c/main/java/org/opensearch/ad/indices/ADIndex.java	100.00% <100.00%> (ø)
...g/opensearch/ad/model/AnomalyCorrelationInput.java	100.00% <100.00%> (ø)
...java/org/opensearch/ad/model/DetectorMetadata.java	100.00% <100.00%> (ø)
...pensearch/ad/settings/AnomalyDetectorSettings.java	100.00% <100.00%> (ø)
...org/opensearch/ad/transport/InsightsJobAction.java	100.00% <100.00%> (ø)
...main/java/org/opensearch/timeseries/JobRunner.java	81.81% <100.00%> (+13.39%)	⬆️
...ensearch/timeseries/TimeSeriesAnalyticsPlugin.java	99.11% <100.00%> (+0.03%)	⬆️
...timeseries/rest/handler/IndexJobActionHandler.java	89.27% <ø> (ø)
...g/opensearch/timeseries/util/RestHandlerUtils.java	67.46% <ø> (ø)
... and 9 more

... and 14 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kaituo]

This comment is not addressed

[kaituo]

Reviewed a few lines and got similar questions.

[kaituo]

If a user has no permission to create index, it is a security leak to create these user index.

[jackiehanyang]

changed to use pluginClient because of seeing this error in security test:

SecureADRestIT > testInsightsApisUseSystemContextForJobIndex FAILED
    org.opensearch.client.ResponseException: method [POST], host [https://127.0.0.1:38067], URI [/_plugins/_anomaly_detection/insights/_start], status line [HTTP/2.0 403 Forbidden]
    {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/create, indices:admin/aliases] and associated roles []"}],"type":"security_exception","reason":"no permissions for [indices:admin/create, indices:admin/aliases] and associated roles []"},"status":403}

The failure error is 403 no permissions for [indices:admin/create, indices:admin/aliases] and associated roles [], happening during job index creation when running as Alice inside of InsightsJobActionHandler. The handler is stashing thread context before initJobIndex(), the roles[] indicates somewhere we're running the index create call without the authenticated user and without any injected roles, so the security plugin treats it as "no roles", and denies indices:admin/cream/aliases. After investigating and exploring the repo, made the following changes:

• stop injecting roles for insights result index creation
  • init insights-results index is triggered from the REST start call (insights/_start), so it runs on a thread where the security plugin has already set the real authenticated user context. In that situation we should not inject the job user, because we'd be overwriting a correct, already authenticated context, and risk injecting roles=[].
  • but when search/write insights-results during job execution, that happens in the backend job thread, where there is no REST user context. There we do need job user injection (we already inject queryCustomResultIndex with InjectSecurity and writeInsightsToIndex with InjectSecurity)
• use pluginClient for job index operations, especially the create job index step which needs indices:admin/create + indices:admin/aliases.
  • stash context only clears the thread context security headers (user/roles), so the request doesn't accidentally run as the caller.
  • localClient + stashed context, the request runs with no user/roles in headers. Under Security, that often becomes "anonymous/no backend roles", so system index reads can still be denied (the error we saw: associated roles[])
  • pluginClient + stashed context, the request is executed as the plugin's system subject, gives it the ability to access system indices under security.

why we still stash context when using pluginClient?

even when using pluginClient, stashing is a safety measure to ensure no caller context leaks into the request, prevents accidental authZ behavior. The privilege comes from which client executes the request, not from stashing.

why we use localClient + stashContext at other places in this repo and it still works

• A lot of stashed context calls are for cluster/state/metadata/monitoring style actions, or for indices that are not treated as protected system indices in that scenario. They're not actually doing system index access
• They stash context, but later explicitly run as a user. Seeing example pattern in transport actions: stash early to avoid leaking caller context, then later restore or inject user/roles when doing customer-owned index operations. So it’s not “stashed-only” end-to-end.

why Insights needed pluginClient even with stashContext

For system indices, "no user" is not the same as system. pluginClient is different because it executes under the plugin's system subject. stashContext() is a safety mechanism (avoid leaking caller), but pluginClient is an authorization mechanism (run as system subject).

[jackiehanyang]

pasting full stack trace of the failed security test before:

SecureADRestIT > testInsightsApisUseSystemContextForJobIndex FAILED
    org.opensearch.client.ResponseException: method [POST], host [https://127.0.0.1:41231/], URI [/_plugins/_anomaly_detection/insights/_start], status line [HTTP/2.0 403 Forbidden]
    {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/create, indices:admin/aliases] and associated roles []"}],"type":"security_exception","reason":"no permissions for [indices:admin/create, indices:admin/aliases] and associated roles []"},"status":403}
        at __randomizedtesting.SeedInfo.seed([ACF4EF0F436E5C7E:D7004542BB6F5CF4]:0)
        at app//org.opensearch.client.RestClient.convertResponse(RestClient.java:494)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:383)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:358)
        at app//org.opensearch.timeseries.TestHelpers.makeRequest(TestHelpers.java:236)
        at app//org.opensearch.timeseries.TestHelpers.makeRequest(TestHelpers.java:209)
        at app//org.opensearch.timeseries.TestHelpers.makeRequest(TestHelpers.java:198)
        at app//org.opensearch.ad.rest.SecureADRestIT.testInsightsApisUseSystemContextForJobIndex(SecureADRestIT.java:1173)


Suite: Test class org.opensearch.ad.rest.SecureADRestIT
  1> [2026-01-30T01:07:11,309][INFO ][o.o.a.r.SecureADRestIT   ] [testValidateAnomalyDetector] before test
  1> [2026-01-30T01:07:11,310][INFO ][o.o.a.r.SecureADRestIT   ] [testValidateAnomalyDetector] initializing REST clients against [https://[::1]:39561, https://127.0.0.1:41231]/
  1> [2026-01-30T01:07:32,886][WARN ][o.o.c.RestClient         ] [testValidateAnomalyDetector]COMMONS-LOGGING request [PUT https://127.0.0.1:41231/_cluster/settings] returned 1 warnings: [299 OpenSearch-3.5.0-SNAPSHOT-2f29662a6de42208fded173a5ac78c0d486f8b0a "[opendistro.anomaly_detection.filter_by_backend_roles] setting was deprecated in OpenSearch and will be removed in a future release! See the breaking changes documentation for the next major version."]
  1> [2026-01-30T01:08:03,824][INFO ][o.o.a.r.SecureADRestIT   ] [testValidateAnomalyDetector] after test
  1> [2026-01-30T01:08:03,827][INFO ][o.o.a.r.SecureADRestIT   ] [testGetDetector] before test
  1> [2026-01-30T01:08:42,945][INFO ][o.o.a.r.SecureADRestIT   ] [testGetDetector] after test
  1> [2026-01-30T01:08:42,951][INFO ][o.o.a.r.SecureADRestIT   ] [testStartAndStopDetector] before test
  1> [2026-01-30T01:09:29,540][INFO ][o.o.a.r.SecureADRestIT   ] [testStartAndStopDetector] after test
  2> REPRODUCE WITH: ./gradlew ':integTest' --tests 'org.opensearch.ad.rest.SecureADRestIT.testInsightsApisUseSystemContextForJobIndex' -Dtests.seed=ACF4EF0F436E5C7E -Dtests.security.manager=false -Dtests.jvm.argline="-XX:TieredStopAtLevel=1 -XX:ReservedCodeCacheSize=64m" -Dtests.locale=so -Dtests.timezone=Arctic/Longyearbyen -Druntime.java=21
  2> org.opensearch.client.ResponseException: method [POST], host [https://127.0.0.1:41231/], URI [/_plugins/_anomaly_detection/insights/_start], status line [HTTP/2.0 403 Forbidden]
    {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/create, indices:admin/aliases] and associated roles []"}],"type":"security_exception","reason":"no permissions for [indices:admin/create, indices:admin/aliases] and associated roles []"},"status":403}
        at __randomizedtesting.SeedInfo.seed([ACF4EF0F436E5C7E:D7004542BB6F5CF4]:0)
        at app//org.opensearch.client.RestClient.convertResponse(RestClient.java:494)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:383)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:358)
        at app//org.opensearch.timeseries.TestHelpers.makeRequest(TestHelpers.java:236)
        at app//org.opensearch.timeseries.TestHelpers.makeRequest(TestHelpers.java:209)
        at app//org.opensearch.timeseries.TestHelpers.makeRequest(TestHelpers.java:198)
        at app//org.opensearch.ad.rest.SecureADRestIT.testInsightsApisUseSystemContextForJobIndex(SecureADRestIT.java:1173)
  1> [2026-01-30T01:09:29,543][INFO ][o.o.a.r.SecureADRestIT   ] [testSearchDetector] before test
  1> [2026-01-30T01:10:08,778][INFO ][o.o.a.r.SecureADRestIT   ] [testSearchDetector] after test
  1> [2026-01-30T01:10:08,781][INFO ][o.o.a.r.SecureADRestIT   ] [testInsightsApisUseSystemContextForJobIndex] before test
  1> [2026-01-30T01:10:46,507][INFO ][o.o.a.r.SecureADRestIT   ] [testInsightsApisUseSystemContextForJobIndex] after test
  1> [2026-01-30T01:10:46,522][INFO ][o.o.a.r.SecureADRestIT   ] [testUpdateDetector] before test
  1> [2026-01-30T01:11:27,504][INFO ][o.o.a.r.SecureADRestIT   ] [testUpdateDetector] after test
  1> [2026-01-30T01:11:27,507][INFO ][o.o.a.r.SecureADRestIT   ] [testDeleteDetector] before test
  1> [2026-01-30T01:12:03,725][INFO ][o.o.a.r.SecureADRestIT   ] [testDeleteDetector] after test
  1> [2026-01-30T01:12:03,730][INFO ][o.o.a.r.SecureADRestIT   ] [testPreviewAnomalyDetector] before test
  1> [2026-01-30T01:12:50,184][INFO ][o.o.a.r.SecureADRestIT   ] [testPreviewAnomalyDetector] after test
  1> [2026-01-30T01:12:50,187][INFO ][o.o.a.r.SecureADRestIT   ] [testCreateAnomalyDetector] before test
  1> [2026-01-30T01:14:04,836][INFO ][o.o.a.r.SecureADRestIT   ] [testCreateAnomalyDetector] after test
  2> NOTE: leaving temporary files on disk at: /__w/anomaly-detection/anomaly-detection/build/testrun/integTest/temp/org.opensearch.ad.rest.SecureADRestIT_ACF4EF0F436E5C7E-001
  2> NOTE: test params are: codec=Asserting(Lucene103): {}, docValues:{}, maxPointsInLeafNode=711, maxMBSortInHeap=6.330024828563959, sim=Asserting(RandomSimilarity(queryNorm=true): {}), locale=so, timezone=Arctic/Longyearbyen
  2> NOTE: Linux 6.11.0-1018-azure amd64/Eclipse Adoptium 21.0.10 (64-bit)/cpus=4,threads=1,free=192305584,total=536870912
  2> NOTE: All tests run in this JVM: [DetectionResultEvalutationIT, HistoricalMissingSingleFeatureIT, MissingMultiFeatureIT, MissingSingleFeatureIT, MixedRealtimeHistoricalIT, PreviewMissingSingleFeatureIT, PreviewRuleIT, RealTimeRuleIT, SimpleRealTimeBatchIT, AnomalyDetectorRestApiIT, DataDependentADRestApiIT, HistoricalAnalysisRestApiIT, SecureADRestIT]

Tests with failures:

131 tests completed, 1 failed, 1 skipped
 - org.opensearch.ad.rest.SecureADRestIT.testInsightsApisUseSystemContextForJobIndex
 - ```