Add global resource support (#4003)

* feat: Add global resource support for remote metadata with DynamoDB integration

- Add DynamoDB client dependency for remote metadata storage
- Implement tenant-aware encryption for global vs tenant-specific resources
- Migrate GetConfigTransportAction to use SDK client instead of direct ES client
- Add REMOTE_METADATA_GLOBAL_TENANT_ID setting support
- Force AWS SDK version alignment for dependency consistency

Signed-off-by: Zirui Song <zrsong@amazon.com>

* Fix config get transport action test failures

Signed-off-by: zane-neo <zaniu@amazon.com>

* Add UTs to increase code coverage

Signed-off-by: zane-neo <zaniu@amazon.com>

---------

Signed-off-by: Zirui Song <zrsong@amazon.com>
Signed-off-by: zane-neo <zaniu@amazon.com>
Co-authored-by: zane-neo <zaniu@amazon.com>

Author: zirui-song-18

.gitignore

@@ -10,3 +10,4 @@ ml-algorithms/build/
 plugin/build/
 .DS_Store
 */bin/
+**/*.factorypath

common/src/main/java/org/opensearch/ml/common/settings/MLCommonsSettings.java

@@ -6,6 +6,8 @@
 package org.opensearch.ml.common.settings;
 
 import static org.opensearch.remote.metadata.common.CommonValue.REMOTE_METADATA_ENDPOINT_KEY;
+import static org.opensearch.remote.metadata.common.CommonValue.REMOTE_METADATA_GLOBAL_RESOURCE_CACHE_TTL_KEY;
+import static org.opensearch.remote.metadata.common.CommonValue.REMOTE_METADATA_GLOBAL_TENANT_ID_KEY;
 import static org.opensearch.remote.metadata.common.CommonValue.REMOTE_METADATA_REGION_KEY;
 import static org.opensearch.remote.metadata.common.CommonValue.REMOTE_METADATA_SERVICE_NAME_KEY;
 import static org.opensearch.remote.metadata.common.CommonValue.REMOTE_METADATA_TYPE_KEY;
@@ -372,4 +374,14 @@ private MLCommonsSettings() {}
         .boolSetting("plugins.ml_commons.agentic_memory_enabled", false, Setting.Property.NodeScope, Setting.Property.Dynamic);
     public static final String ML_COMMONS_AGENTIC_MEMORY_DISABLED_MESSAGE =
         "The Agentic Memory APIs are not enabled. To enable, please update the setting " + ML_COMMONS_AGENTIC_MEMORY_ENABLED.getKey();
+
+    public static final Setting<String> REMOTE_METADATA_GLOBAL_TENANT_ID = Setting
+        .simpleString("plugins.ml-commons." + REMOTE_METADATA_GLOBAL_TENANT_ID_KEY, Setting.Property.NodeScope, Setting.Property.Final);
+
+    public static final Setting<String> REMOTE_METADATA_GLOBAL_RESOURCE_CACHE_TTL = Setting
+        .simpleString(
+            "plugins.ml-commons." + REMOTE_METADATA_GLOBAL_RESOURCE_CACHE_TTL_KEY,
+            Setting.Property.NodeScope,
+            Setting.Property.Final
+        );
 }

ml-algorithms/build.gradle

@@ -54,6 +54,7 @@ dependencies {
     // Multi-tenant SDK Client
     implementation "org.opensearch:opensearch-remote-metadata-sdk:${opensearch_build}"
     implementation 'commons-beanutils:commons-beanutils:1.11.0'
+    implementation "org.opensearch:opensearch-remote-metadata-sdk-ddb-client:${opensearch_build}"
 
     def os = DefaultNativePlatform.currentOperatingSystem
     //arm/macos doesn't support GPU

ml-algorithms/src/main/java/org/opensearch/ml/engine/MLEngine.java

@@ -150,6 +150,15 @@ public Predictable deploy(MLModel mlModel, Map<String, Object> params) {
         return predictable;
     }
 
+    public void deploy(MLModel mlModel, Map<String, Object> params, ActionListener<Predictable> listener) {
+        Predictable predictable = MLEngineClassLoader.initInstance(mlModel.getAlgorithm(), null, MLAlgoParams.class);
+        predictable.initModelAsync(mlModel, params, encryptor).thenAccept((b) -> listener.onResponse(predictable)).exceptionally(e -> {
+            log.error("Failed to init init model", e);
+            listener.onFailure(new RuntimeException(e));
+            return null;
+        });
+    }
+
     public MLExecutable deployExecute(MLModel mlModel, Map<String, Object> params) {
         MLExecutable executable = MLEngineClassLoader.initInstance(mlModel.getAlgorithm(), null, MLAlgoParams.class);
         executable.initModel(mlModel, params);

ml-algorithms/src/main/java/org/opensearch/ml/engine/Predictable.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.engine;
 
 import java.util.Map;
+import java.util.concurrent.CompletionStage;
 
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.ml.common.MLModel;
@@ -19,6 +20,8 @@
  */
 public interface Predictable {
 
+    String METHOD_NOT_IMPLEMENTED_ERROR_MSG = "Method is not implemented";
+
     /**
      * Predict with given input data and model.
      * Will reload model into memory with model content.
@@ -34,11 +37,11 @@ public interface Predictable {
      * @return predicted results
      */
     default MLOutput predict(MLInput mlInput) {
-        throw new IllegalStateException("Method is not implemented");
+        throw new IllegalStateException(METHOD_NOT_IMPLEMENTED_ERROR_MSG);
     }
 
     default void asyncPredict(MLInput mlInput, ActionListener<MLTaskResponse> actionListener) {
-        actionListener.onFailure(new IllegalStateException("Method is not implemented"));
+        actionListener.onFailure(new IllegalStateException(METHOD_NOT_IMPLEMENTED_ERROR_MSG));
     }
 
     /**
@@ -47,7 +50,13 @@ default void asyncPredict(MLInput mlInput, ActionListener<MLTaskResponse> action
      * @param params other parameters
      * @param encryptor encryptor
      */
-    void initModel(MLModel model, Map<String, Object> params, Encryptor encryptor);
+    default void initModel(MLModel model, Map<String, Object> params, Encryptor encryptor) {
+        throw new IllegalStateException(METHOD_NOT_IMPLEMENTED_ERROR_MSG);
+    }
+
+    default CompletionStage<Boolean> initModelAsync(MLModel model, Map<String, Object> params, Encryptor encryptor) {
+        throw new IllegalStateException(METHOD_NOT_IMPLEMENTED_ERROR_MSG);
+    }
 
     /**
      * Close resources like deployed model.

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteModel.java

@@ -6,15 +6,20 @@
 package org.opensearch.ml.engine.algorithms.remote;
 
 import static org.opensearch.ml.common.connector.ConnectorAction.ActionType.PREDICT;
+import static org.opensearch.ml.common.settings.MLCommonsSettings.REMOTE_METADATA_GLOBAL_TENANT_ID;
 
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionStage;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.TokenBucket;
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.ml.common.FunctionName;
+import org.opensearch.ml.common.MLIndex;
 import org.opensearch.ml.common.MLModel;
 import org.opensearch.ml.common.connector.Connector;
 import org.opensearch.ml.common.connector.ConnectorAction.ActionType;
@@ -28,6 +33,7 @@
 import org.opensearch.ml.engine.Predictable;
 import org.opensearch.ml.engine.annotation.Function;
 import org.opensearch.ml.engine.encryptor.Encryptor;
+import org.opensearch.remote.metadata.client.SdkClient;
 import org.opensearch.script.ScriptService;
 import org.opensearch.transport.client.Client;
 
@@ -47,6 +53,8 @@ public class RemoteModel implements Predictable {
     public static final String USER_RATE_LIMITER_MAP = "user_rate_limiter_map";
     public static final String GUARDRAILS = "guardrails";
     public static final String CONNECTOR_PRIVATE_IP_ENABLED = "connectorPrivateIpEnabled";
+    public static final String SDK_CLIENT = "sdk_client";
+    public static final String SETTINGS = "settings";
 
     private RemoteConnectorExecutor connectorExecutor;
 
@@ -98,11 +106,14 @@ public boolean isModelReady() {
     }
 
     @Override
-    public void initModel(MLModel model, Map<String, Object> params, Encryptor encryptor) {
-        try {
+    public CompletionStage<Boolean> initModelAsync(MLModel model, Map<String, Object> params, Encryptor encryptor) {
+        SdkClient sdkClient = (SdkClient) params.get(SDK_CLIENT);
+        return sdkClient.isGlobalResource(MLIndex.MODEL.getIndexName(), model.getModelId()).thenCompose(isGlobalResource -> {
+            String decryptTenantId = Boolean.TRUE.equals(isGlobalResource)
+                ? REMOTE_METADATA_GLOBAL_TENANT_ID.get((Settings) params.get(SETTINGS))
+                : model.getTenantId();
             Connector connector = model.getConnector().cloneConnector();
-            connector
-                .decrypt(PREDICT.name(), (credential, tenantId) -> encryptor.decrypt(credential, model.getTenantId()), model.getTenantId());
+            connector.decrypt(PREDICT.name(), (credential, tenantId) -> encryptor.decrypt(credential, decryptTenantId), decryptTenantId);
             // This situation can only happen for inline connector where we don't provide tenant id.
             if (connector.getTenantId() == null && model.getTenantId() != null) {
                 connector.setTenantId(model.getTenantId());
@@ -116,13 +127,10 @@ public void initModel(MLModel model, Map<String, Object> params, Encryptor encry
             this.connectorExecutor.setUserRateLimiterMap((Map<String, TokenBucket>) params.get(USER_RATE_LIMITER_MAP));
             this.connectorExecutor.setMlGuard((MLGuard) params.get(GUARDRAILS));
             this.connectorExecutor.setConnectorPrivateIpEnabled((AtomicBoolean) params.get(CONNECTOR_PRIVATE_IP_ENABLED));
-        } catch (RuntimeException e) {
-            log.error("Failed to init remote model.", e);
-            throw e;
-        } catch (Throwable e) {
+            return CompletableFuture.completedStage(true);
+        }).exceptionally(e -> {
             log.error("Failed to init remote model.", e);
             throw new MLException(e);
-        }
+        });
     }
-
 }

ml-algorithms/src/test/java/org/opensearch/ml/engine/MLEngineTest.java

@@ -8,7 +8,14 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.opensearch.ml.engine.algorithms.remote.RemoteModel.SDK_CLIENT;
+import static org.opensearch.ml.engine.algorithms.remote.RemoteModel.SETTINGS;
 import static org.opensearch.ml.engine.helper.LinearRegressionHelper.constructLinearRegressionPredictionDataFrame;
 import static org.opensearch.ml.engine.helper.LinearRegressionHelper.constructLinearRegressionTrainDataFrame;
 import static org.opensearch.ml.engine.helper.MLTestHelper.constructTestDataFrame;
@@ -19,14 +26,17 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.UUID;
+import java.util.concurrent.CompletableFuture;
 
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
+import org.mockito.ArgumentCaptor;
 import org.mockito.MockedStatic;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentType;
@@ -37,6 +47,7 @@
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.ml.common.FunctionName;
 import org.opensearch.ml.common.MLModel;
+import org.opensearch.ml.common.connector.AwsConnector;
 import org.opensearch.ml.common.connector.HttpConnector;
 import org.opensearch.ml.common.dataframe.ColumnMeta;
 import org.opensearch.ml.common.dataframe.DataFrame;
@@ -57,8 +68,11 @@
 import org.opensearch.ml.engine.algorithms.regression.LinearRegression;
 import org.opensearch.ml.engine.encryptor.Encryptor;
 import org.opensearch.ml.engine.encryptor.EncryptorImpl;
+import org.opensearch.remote.metadata.client.SdkClient;
 import org.opensearch.search.SearchModule;
 
+import software.amazon.awssdk.utils.ImmutableMap;
+
 // TODO: refactor MLEngineClassLoader's static functions to avoid mockStatic
 public class MLEngineTest extends MLStaticMockBase {
     @Rule
@@ -523,4 +537,74 @@ public void testGetConnectorCredentialWithoutRegion() throws IOException {
         assertEquals("test_key_value", decryptedCredential.get("key"));
         assertEquals(null, decryptedCredential.get("region"));
     }
+
+    @Test
+    public void testDeploy_withPredictableActionListener_successful() throws IOException {
+        String encryptedAccessKey = mlEngine.encrypt("access-key", null);
+        String encryptedSecretKey = mlEngine.encrypt("secret-key", null);
+        String testConnector = String.format(Locale.ROOT, """
+            {
+                "name": "sagemaker: t2ppl",
+                "description": "t2ppl model",
+                "version": 1,
+                "protocol": "aws_sigv4",
+                "credential": {
+                    "access_key": "%s",
+                    "secret_key": "%s"
+                },
+                "parameters": {
+                    "region": "us-east-1",
+                    "service_name": "sagemaker",
+                    "input_type": "search_document"
+                },
+                "actions": [
+                    {
+                        "action_type": "predict",
+                        "method": "POST",
+                        "headers": {
+                            "content-type": "application/json",
+                            "x-amz-content-sha256": "required"
+                        },
+                        "url": "https://runtime.sagemaker.us-west-2.amazonaws.com/endpoints/my-endpoint/invocations",
+                        "request_body": "{\\"prompt\\":\\"${parameters.prompt}\\"}"
+                    }
+                ]
+            }
+            """, encryptedAccessKey, encryptedSecretKey);
+
+        XContentParser parser = XContentType.JSON
+            .xContent()
+            .createParser(
+                new NamedXContentRegistry(new SearchModule(Settings.EMPTY, Collections.emptyList()).getNamedXContents()),
+                null,
+                testConnector
+            );
+        parser.nextToken();
+
+        MLModel model = mock(MLModel.class);
+        AwsConnector connector = new AwsConnector("aws_sigv4", parser);
+        when(model.getAlgorithm()).thenReturn(FunctionName.REMOTE);
+        when(model.getConnector()).thenReturn(connector);
+        ActionListener<Predictable> actionListener = mock(ActionListener.class);
+        SdkClient sdkClient = mock(SdkClient.class);
+        when(sdkClient.isGlobalResource(any(), any())).thenReturn(CompletableFuture.completedFuture(false));
+        Map<String, Object> params = ImmutableMap.of(SDK_CLIENT, sdkClient, SETTINGS, Settings.EMPTY);
+        mlEngine.deploy(model, params, actionListener);
+        verify(actionListener).onResponse(any(Predictable.class));
+    }
+
+    @Test
+    public void testDeploy_withPredictableActionListener_exceptional() {
+        MLModel model = mock(MLModel.class);
+        when(model.getAlgorithm()).thenReturn(FunctionName.REMOTE);
+        when(model.getConnector()).thenThrow(new RuntimeException("Runtime error"));
+        ActionListener<Predictable> actionListener = mock(ActionListener.class);
+        SdkClient sdkClient = mock(SdkClient.class);
+        when(sdkClient.isGlobalResource(any(), any())).thenReturn(CompletableFuture.completedFuture(false));
+        Map<String, Object> params = ImmutableMap.of(SDK_CLIENT, sdkClient, SETTINGS, Settings.EMPTY);
+        mlEngine.deploy(model, params, actionListener);
+        ArgumentCaptor<RuntimeException> argumentCaptor = ArgumentCaptor.forClass(RuntimeException.class);
+        verify(actionListener).onFailure(argumentCaptor.capture());
+        assertTrue(argumentCaptor.getValue().getMessage().contains("Runtime error"));
+    }
 }