configure new ML plugin actions

[ylwu-amzn]

Signed-off-by: Yaliang Wu ylwu@amazon.com

Description

Configure new plugin actions for 2.4 release.

Category

Maintenance

Why these changes are required?

We need these actions for 2.4 release.

What is the old behavior before changes and new behavior after changes?

Old: no these actions
New: add these actions, so user can configure custom permission role

Issues Resolved

Resolve #1181

Testing

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.78%. Comparing base (24807bb) to head (fe07f57).
⚠️ Report is 260 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1182   +/-   ##
=======================================
  Coverage   71.78%   71.78%           
=======================================
  Files          88       88           
  Lines        2027     2027           
  Branches      269      269           
=======================================
  Hits         1455     1455           
  Misses        509      509           
  Partials       63       63           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Zhangxunmt]

LGTM

[peternied]

Is there documentation around the new features that are being permissioned that would be helpful to read up on? From the new names structure is hard for me to understand the relationship between the permissions and their granularity.

e.g.

Added a new model metadata, automatically created on new models, can be manually created via an API call to create_model_meta. If the user has access to the model they can read the metadata. Only users with permissions can call the API to manually create the metadata.

From Fake Feature Documentation

[peternied]

Both forward/syncup seem like they apply to something rather than a top level permission, is this expected?

[peternied]

[Offline Recap] FYI @ylwu-amzn

More changes might be needed to the backend

This change does not change any default permissions settings or register new permissions associated with roles or action groups. It only modifies the permissions that are displayed in the UI for the security plugin for admins to add/remove permissions in a couple of flows.

If default permissions, roles, action groups, need to be changed those need to happen in the security backend's config files [1].

Permissions should only be created that impact users experience

There is a permission in the current pull request cluster:admin/opensearch/ml/forward that a cluster admin would never allow or not allow. This action name might need to be changed to start with 'internal' so it does not have any access checks applied to it - it is an internal action.

Testing should be done with the security plugin

There are a couple of comments where there is a question of functionality - I am at a disadvantage answer these questions as the security plugin has not changed its model, but it sounds like considerable work has been done inside ML for its new features. In order to know if those features will work correctly or you'll need to see how you've changed the contract of the systems.

[1] https://github.com/opensearch-project/security/tree/main/config

[peternied]

To get more background on setting up for using with Security plugin, see this https://github.com/opensearch-project/security#onboarding-new-apis

[ylwu-amzn]

More changes might be needed to the backend

No need, we have configured reserved roles before opensearch-project/security#1654

Permissions should only be created that impact users experience

Agree, these internal actions were removed.

Testing should be done with the security plugin

Yes , we have done test with security backend plugin (I guess @peternied knows better than me, security dashboard plugin is not necessary when do pen test as security plugin provides APIs ). This PR is just add new actions to security dashboard plugin, so user can configure action easily on UI.

[peternied]

More changes might be needed to the backend

No need, we have configured reserved roles before opensearch-project/security#1654

@ylwu-amzn Thanks for the confirmation, you are good to merge. Please create an issue to document these permissions - I couldn't find any references to those names within the OpenSearch project.

[ylwu-amzn]

More changes might be needed to the backend

No need, we have configured reserved roles before opensearch-project/security#1654

@ylwu-amzn Thanks for the confirmation, you are good to merge. Please create an issue to document these permissions - I couldn't find any references to those names within the OpenSearch project.

Yes, tech writer is working on these documentation.