Support .opensearch-knn-model index as system index with security enabled #827
Conversation
martin-gaievski
added
Infrastructure
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
from
871e286 to
ed83707
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #827 +/- ##
============================================
+ Coverage 85.14% 85.18% +0.03%
- Complexity 1079 1081 +2
============================================
Files 151 151
Lines 4370 4394 +24
Branches 390 390
============================================
+ Hits 3721 3743 +22
- Misses 472 474 +2
Partials 177 177
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
checks for this PR will fail until we get fresh distribution build, current blocker is security plugin, PR is opensearch-project/security#2608 |
What do you mean by this? I think we need to revert this for 2.x until we add special access to system index in code. |
|
|
||
| @Override | ||
| protected RestClient getClient() { | ||
| return adminClient(); |
There was a problem hiding this comment.
Not sure if we should use admin client for all requests.
There was a problem hiding this comment.
let me check, if there will be more case where normal client is enough I'll update the logic and use admin client only where needed
| String indexName = (String) index.get("index"); | ||
| final String indexName = (String) index.get("index"); | ||
| if (isIndexCleanupRequired(indexName)) { | ||
| wipeIndexContent(MODEL_INDEX_NAME); |
There was a problem hiding this comment.
Why is MODEL_INDEX_NAME used here and not indexName?
| assertNull(statsMap.get(StatNames.MODEL_INDEX_STATUS.getName())); | ||
| // Check that model health status is null since model index is not created to system yet | ||
| assertNull(statsMap.get(StatNames.MODEL_INDEX_STATUS.getName())); | ||
| } | ||
|
|
||
| createModelSystemIndex(); |
There was a problem hiding this comment.
May be we should move this line of code into the if condition as we want to create it when it doesn't exist
|
I did development/testing on main of security plugin, that does have opensearch-project/security#2274. That was my understanding, that we need to keep model index as system and make tests work. If we revert the security plugin change then I think it will just work, model index became normal index |
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
from
ce86540 to
75a772c
Compare
| @@ -178,6 +178,7 @@ dependencies { | |||
| testImplementation group: 'net.bytebuddy', name: 'byte-buddy', version: '1.14.2' | |||
| testImplementation group: 'org.objenesis', name: 'objenesis', version: '3.2' | |||
| testImplementation group: 'net.bytebuddy', name: 'byte-buddy-agent', version: '1.14.2' | |||
| api "org.opensearch:common-utils:${version}" | |||
There was a problem hiding this comment.
we're importing some constants from common-utils for https client setup https://github.com/martin-gaievski/k-NN/blob/support-integ-tests-on-secured-cluster/src/testFixtures/java/org/opensearch/knn/ODFERestTestCase.java#L289-L300
| GetResponse getResponse = getRequestBuilder.execute().get(); | ||
| Map<String, Object> responseMap = getResponse.getSourceAsMap(); | ||
| return Model.getModelFromSourceMap(responseMap); | ||
| try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) { |
There was a problem hiding this comment.
Can you please add some comment which can explain what we want to achieve here? I also don't see the usage of context variable. May be I am missing something here.
There was a problem hiding this comment.
ack, also variable assignment is required by Java
| @@ -404,8 +407,10 @@ public void get(String modelId, ActionListener<GetModelResponse> actionListener) | |||
| */ | |||
| @Override | |||
| public void search(SearchRequest request, ActionListener<SearchResponse> actionListener) { | |||
| request.indices(MODEL_INDEX_NAME); | |||
| client.search(request, actionListener); | |||
| try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) { | |||
src/main/java/org/opensearch/knn/plugin/transport/DeleteModelTransportAction.java
Outdated
Show resolved
Hide resolved
| modelDao.delete(modelID, listener); | ||
| } catch (Exception e) { | ||
| logger.error(e); | ||
| listener.onFailure(e); |
There was a problem hiding this comment.
If we do this then do we need above line where we are logging the error?
There was a problem hiding this comment.
probably not needed, checked k-NN implementations, we log exception with the proper error message in there https://github.com/martin-gaievski/k-NN/blob/support-integ-tests-on-secured-cluster/src/main/java/org/opensearch/knn/index/KNNSettings.java#L412. Will remove in revision
src/main/java/org/opensearch/knn/plugin/transport/GetModelTransportAction.java
Outdated
Show resolved
Hide resolved
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
from
7095ec8 to
60681e6
Compare
src/main/java/org/opensearch/knn/plugin/transport/DeleteModelTransportAction.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/knn/plugin/transport/GetModelTransportAction.java
Outdated
Show resolved
Hide resolved
CHANGELOG.md
Outdated
| @@ -21,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | |||
| * Add CHANGELOG ([#800](https://github.com/opensearch-project/k-NN/pull/800)) | |||
| * Bump byte-buddy version from 1.12.22 to 1.14.2 ([#804](https://github.com/opensearch-project/k-NN/pull/804)) | |||
| * Bump numpy version from 1.22.x to 1.24.2 ([#811](https://github.com/opensearch-project/k-NN/pull/811)) | |||
| * Add support for integ tests on secured cluster ([#827](https://github.com/opensearch-project/k-NN/pull/827)) | |||
There was a problem hiding this comment.
Change this to "Support .opensearch-knn-model index as system index with security enabled"
| // temporary setting thread context to default, this is needed to allow actions on model system index | ||
| // when security plugin is enabled | ||
| try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) { | ||
| client.execute( |
There was a problem hiding this comment.
This doesnt touch the model system index. Is this needed?
| ); | ||
| // temporary setting thread context to default, this is needed to allow actions on model system index | ||
| // when security plugin is enabled | ||
| try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) { |
There was a problem hiding this comment.
This doesnt touch the model system index. Is this still needed?
| @@ -583,59 +624,76 @@ private void updateModelGraveyardToDelete( | |||
| StepListener<AcknowledgedResponse> step, | |||
| Optional<Exception> exception | |||
| ) { | |||
| // temporary setting thread context to default, this is needed to allow actions on model system index | |||
| // when security plugin is enabled | |||
| try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) { | |||
There was a problem hiding this comment.
This doesnt touch the model system index. Is this still needed?
There was a problem hiding this comment.
updated modelDao, removed context stashes where we access metadata
martin-gaievski
changed the title
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
from
27e70ad to
d426aea
Compare
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
2 times, most recently
from
de3e487 to
0fc30b9
Compare
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
2 times, most recently
from
a5100ef to
fb1111d
Compare
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
…ng calls Signed-off-by: Martin Gaievski <gaievski@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com> Fixing issues related to exception handling Signed-off-by: Martin Gaievski <gaievski@amazon.com>
martin-gaievski
force-pushed
the
support-integ-tests-on-secured-cluster
branch
from
fb1111d to
47c667c
Compare
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-827-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b94b030afc74efc1fae5c5c7528edc25974a3fec
# Push it to GitHub
git push --set-upstream origin backport/backport-827-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.xThen, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.7 2.7
# Navigate to the new working tree
cd .worktrees/backport-2.7
# Create a new branch
git switch --create backport/backport-827-to-2.7
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b94b030afc74efc1fae5c5c7528edc25974a3fec
# Push it to GitHub
git push --set-upstream origin backport/backport-827-to-2.7
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.7Then, create a pull request where the |
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030)
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030) Signed-off-by: Martin Gaievski <gaievski@amazon.com>
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030) Signed-off-by: Martin Gaievski <gaievski@amazon.com>
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030) Signed-off-by: Martin Gaievski <gaievski@amazon.com>
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030) Signed-off-by: Martin Gaievski <gaievski@amazon.com>
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030) Signed-off-by: Martin Gaievski <gaievski@amazon.com>
…bled (opensearch-project#827) * Add support for integ tests on secured cluster Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit b94b030) Signed-off-by: Martin Gaievski <gaievski@amazon.com> (cherry picked from commit 99300b1)
Description
With this change plugin's integ tests can be execute in remote cluster with enabled security plugin. It will work with latest security plugin code, we don't need to repeat opensearch-project/security#2480 similarly to 2.6 branch/release.
Main implemented ideas are:
Issues Resolved
opensearch-project/security#2265
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.