enable auto redeploy for hidden model #2102
Conversation
Signed-off-by: Bhavana Ramaram <rbhavna@amazon.com>
rbhavna
requested review from
b4sjoo,
dhrubo-os,
jngz-es,
model-collapse,
ylwu-amzn,
zane-neo,
Zhangxunmt,
austintlee,
HenryL27 and
sam-herman
as code owners
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
| } | ||
|
|
||
| public MLDeployModelRequest(String modelId, boolean async) { | ||
| this(modelId, null, async, true); | ||
| this(modelId, null, async, true, true); |
There was a problem hiding this comment.
[nit] may be add a comment why here isUserInitiatedDeployRequest will always be true?
| } | ||
|
|
||
| public MLDeployModelRequest(StreamInput in) throws IOException { | ||
| super(in); | ||
| this.modelId = in.readString(); | ||
| this.modelNodeIds = in.readOptionalStringArray(); | ||
| this.async = in.readBoolean(); | ||
| this.isUserInitiatedDeployRequest = in.readOptionalBoolean(); |
There was a problem hiding this comment.
why optionalboolean? what'll happen if the value isn't present?
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## 2.x #2102 +/- ##
============================================
- Coverage 81.83% 81.83% -0.01%
+ Complexity 5621 5620 -1
============================================
Files 543 543
Lines 22819 22825 +6
Branches 2339 2340 +1
============================================
+ Hits 18675 18679 +4
- Misses 3210 3213 +3
+ Partials 934 933 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Failure
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Failure
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Failure
There was a problem hiding this comment.
Can we follow similar logic for non-hidden models to bypass access check in case the request is system initiated? : https://github.com/opensearch-project/ml-commons/pull/2102/files#diff-c341f5a67c1d221e5593dd55fb689e9d0c9a60d33e0fa26090803cfa90818fa7R162
| @@ -286,6 +286,7 @@ public void testDoExecute_no_permission_hidden_model() { | |||
| MLModel mlModel = mock(MLModel.class); | |||
| when(mlModel.getAlgorithm()).thenReturn(FunctionName.ANOMALY_LOCALIZATION); | |||
| when(mlModel.getIsHidden()).thenReturn(true); | |||
| when(mlDeployModelRequest.isUserInitiatedDeployRequest()).thenReturn(true); | |||
There was a problem hiding this comment.
Add unit test to cover isUserInitiatedDeployRequest set to false.
This is already handled in the validateModelGroupAccess method. But it checks for user being null and skips access check which handles the auto redeploy scenario |
| @@ -857,7 +857,7 @@ private void updateModelRegisterStateAsDone( | |||
| void deployModelAfterRegistering(MLRegisterModelInput registerModelInput, String modelId) { | |||
| String[] modelNodeIds = registerModelInput.getModelNodeIds(); | |||
| log.debug("start deploying model after registering, modelId: {} on nodes: {}", modelId, Arrays.toString(modelNodeIds)); | |||
| MLDeployModelRequest request = new MLDeployModelRequest(modelId, modelNodeIds, false, true); | |||
| MLDeployModelRequest request = new MLDeployModelRequest(modelId, modelNodeIds, false, true, true); | |||
There was a problem hiding this comment.
What if user define a flow template with deploy hidden model action in it ? Can user deploy any hidden model?
There was a problem hiding this comment.
Isn't hidden model management (register, deploy, undeploy, delete) is out of scope for AI-Flow?
There was a problem hiding this comment.
With a flow template, we will still consider it as user initiated right. So we will still check for access. Only if it is system initiated, we will bypass the access checks
There was a problem hiding this comment.
Isn't hidden model management (register, deploy, undeploy, delete) is out of scope for AI-Flow?
Yes for normal process, but that's not a hard control. User can copy the hidden model id and define a flow template to deploy it.
There was a problem hiding this comment.
Can user see the hidden model id? I thought only superAdmin can see it.
There was a problem hiding this comment.
Can user see the hidden model id? I thought only superAdmin can see it.
model id isn't hidden to users. But model content is hidden to users. During prediction, model id is being used. As user can make the prediction request, they can know the model id eventually.
There was a problem hiding this comment.
Yes for normal process, but that's not a hard control. User can copy the hidden model id and define a flow template to deploy it.
We opened this deploy request to clients and then user initiated request flag is being set to true from code. So every request sent from ai-flow or any other clients should be treated as user initiated request too.
Null user checks is a workaround, can we explicitly check if deploy request is not user initiated so that same behavior is maintained for system initiated deployments? |
Signed-off-by: Bhavana Ramaram <rbhavna@amazon.com>
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Error
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Error
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Failure
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Error
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Failure
rbhavna
had a problem deploying
to
ml-commons-cicd-env
GitHub Actions
Error
| @@ -38,24 +38,32 @@ public class MLDeployModelRequest extends MLTaskRequest { | |||
| private String modelId; | |||
| private String[] modelNodeIds; | |||
| boolean async; | |||
| // This is to identify if the get request is initiated by user or not. During auto redeploy also, we perform deploy operation. | |||
There was a problem hiding this comment.
[nit] this is a deploy request not a get request.
@rbhavna are we planning to address this? |
Yes this has been addressed already https://github.com/opensearch-project/ml-commons/pull/2102/files#diff-c341f5a67c1d221e5593dd55fb689e9d0c9a60d33e0fa26090803cfa90818fa7R147 |
Signed-off-by: Bhavana Ramaram <rbhavna@amazon.com>
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
rbhavna
temporarily deployed
to
ml-commons-cicd-env
GitHub Actions
Inactive
* enable auto redeploy for hidden model Signed-off-by: Bhavana Ramaram <rbhavna@amazon.com> (cherry picked from commit 9567ca5)
…search-project#2136) * enable auto redeploy for hidden model Signed-off-by: Bhavana Ramaram <rbhavna@amazon.com> (cherry picked from commit 9567ca5) Co-authored-by: Bhavana Ramaram <rbhavna@amazon.com>
|
Why this PR is not backported to main? |
This was merged in this PR @Zhangxunmt #2136 |
…search-project#2136) * enable auto redeploy for hidden model Signed-off-by: Bhavana Ramaram <rbhavna@amazon.com> (cherry picked from commit 9567ca5) Co-authored-by: Bhavana Ramaram <rbhavna@amazon.com>
Description
enable auto redeploy for hidden model
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.