Skip to content

Onboards to centralized resource access control mechanism for ml-model-group #3715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

Onboards to centralized resource access control mechanism for ml-model-group #3715

wants to merge 17 commits into from
+793 −348

Conversation

DarshitChanpura
Copy link
Member

Description

Implements resource-access-control for ML-Model-Group.
Feature Proposal: opensearch-project/security#4500

Related Issues

TBD

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@DarshitChanpura
Onboards to centralized resource access control mechanism for ml-mode…
3029f0f 
…l-group

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@dhrubo-os
Copy link
Collaborator

Apply spotless: ./gradlew spotlessApply

@DarshitChanpura
Fixes sharing logic
6f8bdd5 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 15:57 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 15:57 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 15:57 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 15:57 — with GitHub Actions Failure
@DarshitChanpura
Consumes feature flag exposed by SPI
0d5ad31 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 17:15 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 17:15 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 17:15 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 8, 2025 17:15 — with GitHub Actions Error
@DarshitChanpura
Updates tests and dependency visibility
7c78a54 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 10, 2025 21:17 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 10, 2025 21:17 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 10, 2025 21:17 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 10, 2025 21:17 — with GitHub Actions Failure
@DarshitChanpura
Fixes implmentation
b5f7efe 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 14, 2025 21:27 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 14, 2025 21:27 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 14, 2025 21:27 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 14, 2025 21:27 — with GitHub Actions Error
@dhrubo-os
Copy link
Collaborator

Integ tests are failing.

@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 15, 2025 18:11 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 15, 2025 18:11 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 15, 2025 18:11 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 15, 2025 18:11 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura force-pushed the intro-resource-permissions branch from bd13cc6 to b5f7efe Compare April 15, 2025 18:23
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 15, 2025 18:24 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 15, 2025 18:24 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 28, 2025 18:09 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 28, 2025 18:09 — with GitHub Actions Failure
@DarshitChanpura
Fix compileTestsJava
40c7c81 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 29, 2025 01:17 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 29, 2025 01:17 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 29, 2025 01:17 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval April 29, 2025 01:17 — with GitHub Actions Failure
rbhavna
rbhavna reviewed May 7, 2025
View reviewed changes
plugin/src/main/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupAction.java
}
// For backwards compatibility we still allow storing backend_roles data in ml_model_group
// index
updateModelGroup(modelGroupId, r.source(), updateModelGroupInput, wrappedListener, user);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if user wants to update resource sharing fields through update model group API, how do we allow it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users will now have to explicitly "share" the resource. Security has exposed "share" and "revoke" java APIs which can be consumed by ML in their respective handlers to update model group access.

@dhrubo-os dhrubo-os had a problem deploying to ml-commons-cicd-env-require-approval May 7, 2025 19:04 — with GitHub Actions Error
@dhrubo-os dhrubo-os had a problem deploying to ml-commons-cicd-env-require-approval May 7, 2025 19:04 — with GitHub Actions Failure
@dhrubo-os dhrubo-os had a problem deploying to ml-commons-cicd-env-require-approval May 7, 2025 19:04 — with GitHub Actions Error
@dhrubo-os dhrubo-os had a problem deploying to ml-commons-cicd-env-require-approval May 7, 2025 19:04 — with GitHub Actions Failure
rbhavna
rbhavna reviewed May 7, 2025
View reviewed changes
plugin/src/main/java/org/opensearch/ml/model/MLModelGroupManager.java
.getResourceSharingClient();

resourceSharingClient
.share(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once onboarded and ml access framework is deprecated, what happens to the already existing resources with access controls defined by ml-plugin

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 things:

  1. This feature is currently for fresh 3.1 clusters only
    2.We have a migration path (APIs) which will implement the migrate API to enable feature usage on existing clusters migrating to 3.1

Once the feature is enabled by default, ml-access framework can be safely deleted.

@DarshitChanpura DarshitChanpura force-pushed the intro-resource-permissions branch from 53177d2 to 6906ff0 Compare May 21, 2025 15:20
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:21 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:21 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:21 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:21 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:43 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:43 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:43 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 15:43 — with GitHub Actions Failure
DarshitChanpura
DarshitChanpura commented May 21, 2025
View reviewed changes
plugin/src/main/java/org/opensearch/ml/action/model_group/SearchModelGroupTransportAction.java
@@ -76,13 +83,19 @@ private void preProcessRoleAndPerformSearch(
User user,
ActionListener<SearchResponse> listener
) {
boolean isResourceSharingFeatureEnabled = ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED.get(settings)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've introduced this change to allow enabling feature only if ml's access-control feature flag is enabled. This allows for control of the resource-sharing feature, whether it should be enabled or disabled in ML regardless of whether feature is globally enabled. This will give some sense of familiarity to admins. Same suit is followed in AD plugin as well: https://github.com/opensearch-project/anomaly-detection/pull/1400/files#diff-cf370d40fdd2abc404283fa1e37768646f30ee1b8bfbb0b5c5302fc8a2a080fcR707

@DarshitChanpura
Adds existing feature-flag in conjunction with new feature flage
2d3b021 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura force-pushed the intro-resource-permissions branch from 3a80806 to 2d3b021 Compare May 21, 2025 18:31
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 18:32 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 18:32 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 18:32 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval May 21, 2025 18:32 — with GitHub Actions Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rbhavna rbhavna rbhavna left review comments

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo will be requested when the pull request is marked ready for review b4sjoo is a code owner

@dhrubo-os dhrubo-os Awaiting requested review from dhrubo-os dhrubo-os will be requested when the pull request is marked ready for review dhrubo-os is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl will be requested when the pull request is marked ready for review mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es will be requested when the pull request is marked ready for review jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse will be requested when the pull request is marked ready for review model-collapse is a code owner

@ylwu-amzn ylwu-amzn Awaiting requested review from ylwu-amzn ylwu-amzn will be requested when the pull request is marked ready for review ylwu-amzn is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo will be requested when the pull request is marked ready for review zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt will be requested when the pull request is marked ready for review Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee will be requested when the pull request is marked ready for review austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 will be requested when the pull request is marked ready for review HenryL27 is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual will be requested when the pull request is marked ready for review xinyual is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DarshitChanpura @dhrubo-os @rbhavna