Onboards to centralized resource access control mechanism for ml-model-group #3715
+793
−348
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…l-group Signed-off-by: Darshit Chanpura <[email protected]>
|
Apply spotless: |
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
|
Integ tests are failing. |
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
force-pushed
the
intro-resource-permissions
branch
from
bd13cc6 to
b5f7efe
Compare
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
dhrubo-os
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
dhrubo-os
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
dhrubo-os
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
dhrubo-os
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
rbhavna
reviewed
May 7, 2025
| .getResourceSharingClient(); | ||
|
|
||
| resourceSharingClient | ||
| .share( |
There was a problem hiding this comment.
Once onboarded and ml access framework is deprecated, what happens to the already existing resources with access controls defined by ml-plugin
There was a problem hiding this comment.
2 things:
- This feature is currently for fresh 3.1 clusters only
2.We have a migration path (APIs) which will implement the migrate API to enable feature usage on existing clusters migrating to 3.1
Once the feature is enabled by default, ml-access framework can be safely deleted.
DarshitChanpura
force-pushed
the
intro-resource-permissions
branch
from
53177d2 to
6906ff0
Compare
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
commented
May 21, 2025
| @@ -76,13 +83,19 @@ private void preProcessRoleAndPerformSearch( | |||
| User user, | |||
| ActionListener<SearchResponse> listener | |||
| ) { | |||
| boolean isResourceSharingFeatureEnabled = ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED.get(settings) | |||
There was a problem hiding this comment.
I've introduced this change to allow enabling feature only if ml's access-control feature flag is enabled. This allows for control of the resource-sharing feature, whether it should be enabled or disabled in ML regardless of whether feature is globally enabled. This will give some sense of familiarity to admins. Same suit is followed in AD plugin as well: https://github.com/opensearch-project/anomaly-detection/pull/1400/files#diff-cf370d40fdd2abc404283fa1e37768646f30ee1b8bfbb0b5c5302fc8a2a080fcR707
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
intro-resource-permissions
branch
from
3a80806 to
2d3b021
Compare
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Failure
DarshitChanpura
had a problem deploying
to
ml-commons-cicd-env-require-approval
GitHub Actions
Error
rbhavna
reviewed
May 27, 2025
| if (modelGroupId == null | ||
| || (!mlFeatureEnabledSetting.isMultiTenancyEnabled() | ||
| && (isAdmin(user) || !isSecurityEnabledAndModelAccessControlEnabled(user)))) { | ||
| if (modelGroupId == null || (!mlFeatureEnabledSetting.isMultiTenancyEnabled())) { |
There was a problem hiding this comment.
The condition !mlFeatureEnabledSetting.isMultiTenancyEnabled() has to be checked along with the ones removed actually. Please add it to line 199 and remove from here.
|
So with this PR, we are first going to check resource sharing permissions and then check for ml access control permissions? Or is it like if resource sharing is not enabled, only then we check for ml access control? |
rbhavna
reviewed
May 27, 2025
|
|
||
| // share with current user's backend-roles | ||
| // TODO: check if resource should be shared with user's backend roles by default | ||
| recipientMap.set(Map.of(Recipient.BACKEND_ROLES, Set.copyOf(user.getBackendRoles()))); |
There was a problem hiding this comment.
I am little confused here. Why are we taking all backend roles here. What if user had 3 backend and is sharing the resource only with one of his backend roles? In that case, shouldn't we use input.getBackendRoles()? In the create model group request, user can give what backend roles to share with
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implements resource-access-control for ML-Model-Group.
Feature Proposal: opensearch-project/security#4500
Related Issues
TBD
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.