Adds existing feature-flag in conjunction with new feature flage

DarshitChanpura · DarshitChanpura · commit 2d3b0212ac6e · 2025-05-21T14:30:36.000-04:00
Signed-off-by: Darshit Chanpura &lt;dchanp@amazon.com&gt;
diff --git a/plugin/src/main/java/org/opensearch/ml/action/model_group/SearchModelGroupTransportAction.java b/plugin/src/main/java/org/opensearch/ml/action/model_group/SearchModelGroupTransportAction.java
@@ -6,6 +6,7 @@
 package org.opensearch.ml.action.model_group;
 
 import static org.opensearch.ml.action.handler.MLSearchHandler.wrapRestActionListener;
+import static org.opensearch.ml.common.settings.MLCommonsSettings.ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED;
 import static org.opensearch.ml.utils.RestActionUtils.wrapListenerToHandleSearchIndexNotFound;
 import static org.opensearch.security.spi.resources.FeatureConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED;
 import static org.opensearch.security.spi.resources.FeatureConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT;
@@ -82,8 +83,8 @@ private void preProcessRoleAndPerformSearch(
         User user,
         ActionListener<SearchResponse> listener
     ) {
-        boolean isResourceSharingFeatureEnabled = this.settings
-            .getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+        boolean isResourceSharingFeatureEnabled = ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED.get(settings)
+            && this.settings.getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
         try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) {
             ActionListener<SearchResponse> wrappedListener = ActionListener.runBefore(listener, context::restore);
 
diff --git a/plugin/src/main/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupAction.java b/plugin/src/main/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupAction.java
@@ -8,6 +8,7 @@
 import static org.opensearch.common.xcontent.json.JsonXContent.jsonXContent;
 import static org.opensearch.core.xcontent.XContentParserUtils.ensureExpectedToken;
 import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_INDEX;
+import static org.opensearch.ml.common.settings.MLCommonsSettings.ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED;
 import static org.opensearch.ml.utils.MLExceptionUtils.logException;
 import static org.opensearch.security.spi.resources.FeatureConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED;
 import static org.opensearch.security.spi.resources.FeatureConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT;
@@ -115,8 +116,8 @@ protected void doExecute(Task task, ActionRequest request, ActionListener<MLUpda
             return;
         }
         User user = RestActionUtils.getUserContext(client);
-        boolean isResourceSharingFeatureEnabled = this.settings
-            .getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+        boolean isResourceSharingFeatureEnabled = ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED.get(settings)
+            && this.settings.getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
         FetchSourceContext fetchSourceContext = new FetchSourceContext(true, Strings.EMPTY_ARRAY, Strings.EMPTY_ARRAY);
         GetDataObjectRequest getDataObjectRequest = GetDataObjectRequest
             .builder()
@@ -162,7 +163,7 @@ protected void doExecute(Task task, ActionRequest request, ActionListener<MLUpda
                                             .getInstance()
                                             .getResourceSharingClient();
                                         resourceSharingClient
-                                            .verifyResourceAccess(modelGroupId, ML_MODEL_GROUP_INDEX, ActionListener.wrap(isAuthorized -> {
+                                            .verifyAccess(modelGroupId, ML_MODEL_GROUP_INDEX, ActionListener.wrap(isAuthorized -> {
                                                 if (!isAuthorized) {
                                                     listener
                                                         .onFailure(
diff --git a/plugin/src/main/java/org/opensearch/ml/helper/ModelAccessControlHelper.java b/plugin/src/main/java/org/opensearch/ml/helper/ModelAccessControlHelper.java
@@ -90,6 +90,11 @@ public ModelAccessControlHelper(ClusterService clusterService, Settings settings
             RangeQueryBuilder.class
         );
 
+    private boolean isResourceSharingFeatureEnabled(Settings settings) {
+        return isModelAccessControlEnabled()
+            && settings.getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+    }
+
     // TODO Eventually remove this when all usages of it have been migrated to the SdkClient version
     public void validateModelGroupAccess(
         User user,
@@ -102,11 +107,10 @@ public void validateModelGroupAccess(
             listener.onResponse(true);
             return;
         }
-        boolean isResourceSharingFeatureEnabled = settings
-            .getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+        boolean isResourceSharingFeatureEnabled = isResourceSharingFeatureEnabled(settings);
         if (isResourceSharingFeatureEnabled) {
             ResourceSharingClient resourceSharingClient = ResourceSharingClientAccessor.getInstance().getResourceSharingClient();
-            resourceSharingClient.verifyResourceAccess(modelGroupId, ML_MODEL_GROUP_INDEX, ActionListener.wrap(isAuthorized -> {
+            resourceSharingClient.verifyAccess(modelGroupId, ML_MODEL_GROUP_INDEX, ActionListener.wrap(isAuthorized -> {
                 if (!isAuthorized) {
                     listener
                         .onFailure(
@@ -174,11 +178,10 @@ public void validateModelGroupAccess(
             listener.onResponse(true);
             return;
         }
-        boolean isResourceSharingFeatureEnabled = settings
-            .getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+        boolean isResourceSharingFeatureEnabled = isResourceSharingFeatureEnabled(settings);
         if (isResourceSharingFeatureEnabled) {
             ResourceSharingClient resourceSharingClient = ResourceSharingClientAccessor.getInstance().getResourceSharingClient();
-            resourceSharingClient.verifyResourceAccess(modelGroupId, ML_MODEL_GROUP_INDEX, ActionListener.wrap(isAuthorized -> {
+            resourceSharingClient.verifyAccess(modelGroupId, ML_MODEL_GROUP_INDEX, ActionListener.wrap(isAuthorized -> {
                 if (!isAuthorized) {
                     listener
                         .onFailure(
@@ -371,8 +374,7 @@ public SearchSourceBuilder addUserBackendRolesFilter(User user, SearchSourceBuil
     }
 
     public SearchSourceBuilder createSearchSourceBuilder(User user, Settings settings) {
-        boolean isResourceSharingFeatureEnabled = settings
-            .getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+        boolean isResourceSharingFeatureEnabled = isResourceSharingFeatureEnabled(settings);
         // TODO: Remove this feature flag check once feature is GA, as it will be enabled by default
         if (isResourceSharingFeatureEnabled) {
             return addAccessibleModelGroupsFilter(new SearchSourceBuilder());
diff --git a/plugin/src/main/java/org/opensearch/ml/model/MLModelGroupManager.java b/plugin/src/main/java/org/opensearch/ml/model/MLModelGroupManager.java
@@ -7,8 +7,10 @@
 
 import static org.opensearch.common.xcontent.json.JsonXContent.jsonXContent;
 import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_INDEX;
+import static org.opensearch.ml.common.settings.MLCommonsSettings.ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED;
 import static org.opensearch.security.spi.resources.FeatureConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED;
 import static org.opensearch.security.spi.resources.FeatureConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT;
+import static org.opensearch.security.spi.resources.ResourceAccessLevels.PLACE_HOLDER;
 
 import java.time.Instant;
 import java.util.HashSet;
@@ -57,7 +59,8 @@
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.security.spi.resources.client.ResourceSharingClient;
 import org.opensearch.security.spi.resources.sharing.Recipient;
-import org.opensearch.security.spi.resources.sharing.SharedWithActionGroup;
+import org.opensearch.security.spi.resources.sharing.Recipients;
+import org.opensearch.security.spi.resources.sharing.ShareWith;
 import org.opensearch.transport.client.Client;
 
 import lombok.extern.log4j.Log4j2;
@@ -98,8 +101,8 @@ public void createModelGroup(MLRegisterModelGroupInput input, ActionListener<Str
             User user = RestActionUtils.getUserContext(client);
             // Create a recipient sharing list
             AtomicReference<Map<Recipient, Set<String>>> recipientMap = new AtomicReference<>();
-            boolean isResourceSharingFeatureEnabled = this.settings
-                .getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+            boolean isResourceSharingFeatureEnabled = ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED.get(settings)
+                && this.settings.getAsBoolean(OPENSEARCH_RESOURCE_SHARING_ENABLED, OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
 
             try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) {
                 ActionListener<String> wrappedListener = ActionListener.runBefore(listener, context::restore);
@@ -191,8 +194,9 @@ public void createModelGroup(MLRegisterModelGroupInput input, ActionListener<Str
                                                 // Create an entry in resource-sharing index
                                                 String modelGroupId = indexResponse.getId();
                                                 String modelGroupIndex = indexResponse.getIndex();
-                                                SharedWithActionGroup.ActionGroupRecipients recipients =
-                                                    new SharedWithActionGroup.ActionGroupRecipients(recipientMap.get());
+                                                ShareWith shareWith = new ShareWith(
+                                                    Map.of(PLACE_HOLDER, new Recipients(recipientMap.get()))
+                                                );
 
                                                 ResourceSharingClient resourceSharingClient = ResourceSharingClientAccessor
                                                     .getInstance()
@@ -202,7 +206,7 @@ public void createModelGroup(MLRegisterModelGroupInput input, ActionListener<Str
                                                     .share(
                                                         modelGroupId,
                                                         modelGroupIndex,
-                                                        recipients,
+                                                        shareWith,
                                                         ActionListener.wrap(resourceSharing -> {
                                                             log
                                                                 .debug(
