Onboards to centralized resource access control mechanism for ml-model-group (opensearch-project#3715)

* Onboards to centralized resource access control mechanism for ml-model-group

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes sharing logic

Signed-off-by: Darshit Chanpura <[email protected]>

* Consumes feature flag exposed by SPI

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates tests and dependency visibility

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes implmentation

Signed-off-by: Darshit Chanpura <[email protected]>

* Conforms to SPI changes

Signed-off-by: Darshit Chanpura <[email protected]>

* Conforms to SPI changes in security plugin

Signed-off-by: Darshit Chanpura <[email protected]>

* Reflects changes in SPI

Signed-off-by: Darshit Chanpura <[email protected]>

* Refactors to use centralized method in ModelAccessControlHelper

Signed-off-by: Darshit Chanpura <[email protected]>

* Corrects search handler to match against accessible model_group_ids

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes spotless

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix missed reference

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix compilation errors

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix compileTestsJava

Signed-off-by: Darshit Chanpura <[email protected]>

* Adds existing feature-flag in conjunction with new feature flage

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes if condition

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates default creation and update logic to support existing scenarios

Signed-off-by: Darshit Chanpura <[email protected]>

* Removes left over comment

Signed-off-by: Darshit Chanpura <[email protected]>

* Refactors to conform to standalone authz framework supplied by security plugin

Signed-off-by: Darshit Chanpura <[email protected]>

* Update model-group related requests to be doc requests

Signed-off-by: Darshit Chanpura <[email protected]>

* Refactors verifyAccess to pass action names

Signed-off-by: Darshit Chanpura <[email protected]>

* Re-add resource sharing client accessor

Signed-off-by: Darshit Chanpura <[email protected]>

* Refactors how resource-sharing client is accessed

Signed-off-by: Darshit Chanpura <[email protected]>

* Code cleanup

Signed-off-by: Darshit Chanpura <[email protected]>

* Code cleanup 2

Signed-off-by: Darshit Chanpura <[email protected]>

* Code cleanup 3

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix test compilation error

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix filter for model-groups on search request

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix most of the tests

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix search model transport action and tests

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix test failure by passing correct listener

Signed-off-by: Darshit Chanpura <[email protected]>

* Refactors SearchModelGroupTransportActionTests to include new path and adds test for resource sharing extension

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix spotless

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix incorrect eval logic to check whether ml group index is present when search models

Signed-off-by: Darshit Chanpura <[email protected]>

* Adapts changes to make ResourceExtension consumed via @Inject

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix UTs broken due to opensearch-project/common-utils#827

Signed-off-by: Darshit Chanpura <[email protected]>

* Reverts "Adapts changes to make ResourceExtension consumed via @Inject" 8611f25 and adds setup for sec testing

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes extension over-ridden method

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes remaining broken UTs due to user object change

Signed-off-by: Darshit Chanpura <[email protected]>

* Adds plugin client, related permissions and resource-action-groups file

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates resource-type and removes plugin client since it is not being used

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates config schema to handle all_shared_principals to be used in search

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix CI

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix unit test

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates API response message and adds method doc

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates resource-action-groups and search handler sequence

Signed-off-by: Darshit Chanpura <[email protected]>

* Updates model search handler flow

Signed-off-by: Darshit Chanpura <[email protected]>

* Fixes method call broken during latest merge from main

Signed-off-by: Darshit Chanpura <[email protected]>

* Cleans up search

Signed-off-by: Darshit Chanpura <[email protected]>

* Reorders rsc client preference

Signed-off-by: Darshit Chanpura <[email protected]>

* Handles hidden models in predict action

Signed-off-by: Darshit Chanpura <[email protected]>

* Adds types to DocRequest

Signed-off-by: Darshit Chanpura <[email protected]>

* Fix prediction action error handling to pass safe modelId

Signed-off-by: Darshit Chanpura <[email protected]>

* Boost MLSearchHandler test coverage

Signed-off-by: Darshit Chanpura <[email protected]>

---------

Signed-off-by: Darshit Chanpura <[email protected]>
Co-authored-by: Dhrubo Saha <[email protected]>

Author: DarshitChanpura

common/build.gradle

@@ -22,6 +22,8 @@ dependencies {
     testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.15.2'
     testImplementation "org.opensearch.test:framework:${opensearch_version}"
 
+    compileOnly group: 'org.opensearch', name:'opensearch-security-spi', version:"${opensearch_build}"
+
     compileOnly group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     compileOnly group: 'com.google.code.gson', name: 'gson', version: "${versions.gson}"
     compileOnly group: 'org.json', name: 'json', version: '20231013'

common/src/main/java/org/opensearch/ml/common/CommonValue.java

@@ -79,6 +79,9 @@ public class CommonValue {
     public static final String ML_INDEX_INSIGHT_CONFIG_INDEX_MAPPING_PATH = "index-mappings/ml_index_insight_config.json";
     public static final String ML_INDEX_INSIGHT_STORAGE_INDEX_MAPPING_PATH = "index-mappings/ml_index_insight_storage.json";
 
+    // Resource type used in resource-access-control
+    public static final String ML_MODEL_GROUP_RESOURCE_TYPE = "ml-model-group";
+
     // Calculate Versions independently of OpenSearch core version
     public static final Version VERSION_2_11_0 = Version.fromString("2.11.0");
     public static final Version VERSION_2_12_0 = Version.fromString("2.12.0");

common/src/main/java/org/opensearch/ml/common/ResourceSharingClientAccessor.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.ml.common;
+
+import org.opensearch.security.spi.resources.client.ResourceSharingClient;
+
+/**
+ * Accessor for resource sharing client
+ */
+public class ResourceSharingClientAccessor {
+    private ResourceSharingClient CLIENT;
+
+    private static ResourceSharingClientAccessor resourceSharingClientAccessor;
+
+    private ResourceSharingClientAccessor() {}
+
+    public static ResourceSharingClientAccessor getInstance() {
+        if (resourceSharingClientAccessor == null) {
+            resourceSharingClientAccessor = new ResourceSharingClientAccessor();
+        }
+
+        return resourceSharingClientAccessor;
+    }
+
+    /**
+     * Set the resource sharing client
+     */
+    public void setResourceSharingClient(ResourceSharingClient client) {
+        resourceSharingClientAccessor.CLIENT = client;
+    }
+
+    /**
+     * Get the resource sharing client
+     */
+    public ResourceSharingClient getResourceSharingClient() {
+        return resourceSharingClientAccessor.CLIENT;
+    }
+
+}

common/src/main/java/org/opensearch/ml/common/transport/model_group/MLModelGroupDeleteRequest.java

@@ -6,6 +6,8 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_INDEX;
+import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_RESOURCE_TYPE;
 import static org.opensearch.ml.common.CommonValue.VERSION_2_19_0;
 
 import java.io.ByteArrayInputStream;
@@ -16,6 +18,7 @@
 import org.opensearch.Version;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.action.DocRequest;
 import org.opensearch.core.common.io.stream.InputStreamStreamInput;
 import org.opensearch.core.common.io.stream.OutputStreamStreamOutput;
 import org.opensearch.core.common.io.stream.StreamInput;
@@ -24,7 +27,7 @@
 import lombok.Builder;
 import lombok.Getter;
 
-public class MLModelGroupDeleteRequest extends ActionRequest {
+public class MLModelGroupDeleteRequest extends ActionRequest implements DocRequest {
     @Getter
     String modelGroupId;
     @Getter
@@ -78,4 +81,29 @@ public static MLModelGroupDeleteRequest fromActionRequest(ActionRequest actionRe
             throw new UncheckedIOException("failed to parse ActionRequest into MLModelGroupDeleteRequest", e);
         }
     }
+
+    @Override
+    public String type() {
+        return ML_MODEL_GROUP_RESOURCE_TYPE;
+    }
+
+    /**
+     * Get the index that this request operates on
+     *
+     * @return the index
+     */
+    @Override
+    public String index() {
+        return ML_MODEL_GROUP_INDEX;
+    }
+
+    /**
+     * Get the id of the document for this request
+     *
+     * @return the id
+     */
+    @Override
+    public String id() {
+        return modelGroupId;
+    }
 }

common/src/main/java/org/opensearch/ml/common/transport/model_group/MLModelGroupGetRequest.java

@@ -6,6 +6,8 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_INDEX;
+import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_RESOURCE_TYPE;
 import static org.opensearch.ml.common.CommonValue.VERSION_2_19_0;
 
 import java.io.ByteArrayInputStream;
@@ -16,6 +18,7 @@
 import org.opensearch.Version;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.action.DocRequest;
 import org.opensearch.core.common.io.stream.InputStreamStreamInput;
 import org.opensearch.core.common.io.stream.OutputStreamStreamOutput;
 import org.opensearch.core.common.io.stream.StreamInput;
@@ -30,7 +33,7 @@
 @Getter
 @FieldDefaults(makeFinal = true, level = AccessLevel.PRIVATE)
 @ToString
-public class MLModelGroupGetRequest extends ActionRequest {
+public class MLModelGroupGetRequest extends ActionRequest implements DocRequest {
 
     String modelGroupId;
     String tenantId;
@@ -83,4 +86,29 @@ public static MLModelGroupGetRequest fromActionRequest(ActionRequest actionReque
             throw new UncheckedIOException("failed to parse ActionRequest into MLModelGroupGetRequest", e);
         }
     }
+
+    @Override
+    public String type() {
+        return ML_MODEL_GROUP_RESOURCE_TYPE;
+    }
+
+    /**
+     * Get the index that this request operates on
+     *
+     * @return the index
+     */
+    @Override
+    public String index() {
+        return ML_MODEL_GROUP_INDEX;
+    }
+
+    /**
+     * Get the id of the document for this request
+     *
+     * @return the id
+     */
+    @Override
+    public String id() {
+        return modelGroupId;
+    }
 }

common/src/main/java/org/opensearch/ml/common/transport/model_group/MLUpdateModelGroupRequest.java

@@ -6,6 +6,8 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_INDEX;
+import static org.opensearch.ml.common.CommonValue.ML_MODEL_GROUP_RESOURCE_TYPE;
 import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
@@ -17,6 +19,7 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.action.DocRequest;
 import org.opensearch.core.common.io.stream.InputStreamStreamInput;
 import org.opensearch.core.common.io.stream.OutputStreamStreamOutput;
 import org.opensearch.core.common.io.stream.StreamInput;
@@ -32,7 +35,7 @@
 @Getter
 @FieldDefaults(makeFinal = true, level = AccessLevel.PRIVATE)
 @ToString
-public class MLUpdateModelGroupRequest extends ActionRequest {
+public class MLUpdateModelGroupRequest extends ActionRequest implements DocRequest {
 
     MLUpdateModelGroupInput updateModelGroupInput;
 
@@ -80,4 +83,29 @@ public static MLUpdateModelGroupRequest fromActionRequest(ActionRequest actionRe
         }
 
     }
+
+    @Override
+    public String type() {
+        return ML_MODEL_GROUP_RESOURCE_TYPE;
+    }
+
+    /**
+     * Get the index that this request operates on
+     *
+     * @return the index
+     */
+    @Override
+    public String index() {
+        return ML_MODEL_GROUP_INDEX;
+    }
+
+    /**
+     * Get the id of the document for this request
+     *
+     * @return the id
+     */
+    @Override
+    public String id() {
+        return updateModelGroupInput.getModelGroupID();
+    }
 }

common/src/main/resources/index-mappings/ml_model_group.json

@@ -1,6 +1,6 @@
 {
   "_meta": {
-    "schema_version": 3
+    "schema_version": 4
   },
   "properties": {
     "name": {
@@ -81,6 +81,9 @@
     "last_updated_time": {
       "type": "date",
       "format": "strict_date_time||epoch_millis"
+    },
+    "all_shared_principals": {
+      "type": "keyword"
     }
   }
 }

common/src/test/java/org/opensearch/ml/common/MLModelGroupTest.java

@@ -73,7 +73,7 @@ public void toXContent() throws IOException {
     public void parse() throws IOException {
         String jsonStr = "{\"name\":\"test\",\"latest_version\":1,\"description\":\"this is test group\","
             + "\"backend_roles\":[\"role1\",\"role2\"],"
-            + "\"owner\":{\"name\":\"\",\"backend_roles\":[],\"roles\":[],\"custom_attribute_names\":[],\"user_requested_tenant\":null},"
+            + "\"owner\":{\"name\":\"\",\"backend_roles\":[],\"roles\":[],\"user_requested_tenant\":null,\"custom_attribute_names\":[]},"
             + "\"access\":\"PUBLIC\"}";
         XContentParser parser = XContentType.JSON
             .xContent()
@@ -176,7 +176,7 @@ public void toXContent_WithTenantId() throws IOException {
     public void parse_WithTenantId() throws IOException {
         String jsonStr = "{\"name\":\"test\",\"latest_version\":1,\"description\":\"this is test group\","
             + "\"backend_roles\":[\"role1\",\"role2\"],"
-            + "\"owner\":{\"name\":\"\",\"backend_roles\":[],\"roles\":[],\"custom_attribute_names\":[],\"user_requested_tenant\":null,\"user_requested_tenant_access\":null},"
+            + "\"owner\":{\"name\":\"\",\"backend_roles\":[],\"roles\":[],\"user_requested_tenant\":null,\"user_requested_tenant_access\":null,\"custom_attribute_names\":[]},"
             + "\"access\":\"PUBLIC\",\"tenant_id\":\"test_tenant\"}";
 
         XContentParser parser = XContentType.JSON
@@ -201,7 +201,7 @@ public void parse_WithTenantId() throws IOException {
     public void parse_WithoutTenantId() throws IOException {
         String jsonStr = "{\"name\":\"test\",\"latest_version\":1,\"description\":\"this is test group\","
             + "\"backend_roles\":[\"role1\",\"role2\"],"
-            + "\"owner\":{\"name\":\"\",\"backend_roles\":[],\"roles\":[],\"custom_attribute_names\":[],\"user_requested_tenant\":null},"
+            + "\"owner\":{\"name\":\"\",\"backend_roles\":[],\"roles\":[],\"user_requested_tenant\":null,\"custom_attribute_names\":[]},"
             + "\"access\":\"PUBLIC\"}";
 
         XContentParser parser = XContentType.JSON