#289 - Add register, update and delete model group functionality to support Model Access Control

[rawwar]

Description

Add model group registry, update, search and deletion functionality

Issues Resolved

closes #289
closes #290
closes #292
closes #333
closes #117

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[rawwar]

@dhrubo-os , can you please review and let me know if you have any feedback. I am working on adding tests

[dhrubo-os]

Just one suggestion, you can also mark a PR as draft if you think PR is not ready to review yet.

[codecov]

Codecov Report

Merging #332 (075a763) into main (fc698a7) will increase coverage by 0.11%.
The diff coverage is 96.07%.

@@            Coverage Diff             @@
##             main     #332      +/-   ##
==========================================
+ Coverage   91.36%   91.47%   +0.11%     
==========================================
  Files          38       40       +2     
  Lines        4237     4339     +102     
==========================================
+ Hits         3871     3969      +98     
- Misses        366      370       +4     

Files	Coverage Δ
opensearch_py_ml/ml_commons/ml_commons_client.py	84.84% <100.00%> (+0.18%)	⬆️
...y_ml/ml_commons/validators/model_access_control.py	98.00% <98.00%> (ø)
...pensearch_py_ml/ml_commons/model_access_control.py	94.00% <94.00%> (ø)

[rawwar]

@dhrubo-os , I fixed the issues. Can you review the PR and let me know if I need to change anything? I will work on to increase the coverage.

[dhrubo-os]

@rbhavna Could you please review this PR as you implemented the model access control. Thanks.

[dhrubo-os]

Overall Looks good to me

@rbhavna could you also please review this PR as you know more about model access control?

[rbhavna]

Any specific reason we are not validating all the exception cases while creating model group? Like the ones we have here: https://github.com/opensearch-project/ml-commons/blob/6efb1ebeefb8a7930f6767262457d0d5b568ac75/plugin/src/main/java/org/opensearch/ml/model/MLModelGroupManager.java#L148

[rawwar]

@rbhavna , since, these validations are already being done by ml-commons, having them here as well felt like double validations. Most checks I wrote here just check for type issues and helps to make a valid API call.

[rbhavna]

Just curious, the three exception cases that we are testing here are also being validated by ml-commons. Any reason we still have them here and not the others?

[rawwar]

Right. I do feel we shouldn't be having these checks in opensearch-py-ml. Because, if checks on ml-commons change, we again need to update this on the client as well. I was thinking, client libraries only purpose would be to make the calls and if any errors from the opensearch, it should be able to pass them to user without any change. Also, maybe add few utility functions to make things easier for the user.

@dhrubo-os , @rbhavna , what do you think about removing these validations form opensearch-py-ml? Or Should I go ahead with implementing the validations from ml-commons ?

[dhrubo-os]

As opensearch-py-ml is a client plugin for ml-commons, we should have only the client side testing similar like any web application. Some basic input validations which can be easily caught before the request reaching to the server. We don't need to add that type of validations for which we need to make a back-end call like testing if the user is admin or not.

Yeah we need to have the same basic validations in ml-commons too, as py-ml isn't the only client for ml-commons.

[rbhavna]

Same doubt. Update model group also validates similar exception cases that are missing here. If we are not validating them at any other place, I would suggest we have them here.

[dhrubo-os]

I agree, but I think the limitation is, during update we don't know what are the values already for model group in index. So either we need to get the model group with a server call and then check or we call leave it to the server validation.

In this case I would prefer the second not to complicate things.

[rbhavna]

Yes agreed @dhrubo-os