Add model access control documentation for ML Commons #4223
+771
−74
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Fanit Kolchina <[email protected]>
kolchfa-aws
requested review from
cwillum,
hdhalter,
Naarcha-AWS,
vagimeli,
ananzh,
seanneumann,
AMoo-Miki and
natebower
as code owners
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
rbhavna
reviewed
Jun 7, 2023
|
|
||
| - `public`: All users who have access to the cluster can access this model group. | ||
| - `private`: Only the model owner or an admin user can access this model group. | ||
| - `restricted`: The owner, an admin user, or any user who shares one of the model group's backend roles can access any model in this model group. When creating a `restricted` model group, the owner must attach one or more of the owner's backend roles to the model. For a user to be able to access a model group, one of the user's backend roles must match one of the model group's backend roles. This grants the user permissions associated with the user role to which that backend role is mapped. For example, if the backend role is mapped to the `ml_full_access` user role, users with this role can use the Register, Deploy, Predict, Delete, Search and Get Model APIs on any model in this model group. |
There was a problem hiding this comment.
ml_full_access is the permission/security role actually. Also its not necessary a backend role should be mapped to these permission roles, a user can directly be mapped to these permission roles. For example, a user is direclt mapped to "ml_full_access" and has a backend role of that of a model group, then then can perform all the said actions on the models of this group. We might have to rephrase this paragraph a little.
There was a problem hiding this comment.
Thank you for the clarification, reworded.
Signed-off-by: Fanit Kolchina <[email protected]>
ylwu-amzn
reviewed
Jun 8, 2023
_ml-commons-plugin/api.md
Outdated
| } | ||
| ``` | ||
|
|
||
| ## Registering a model | ||
|
|
||
| Use the register operation to register a custom model to a model index. ML Commons splits the model into smaller chunks and saves those chunks in the model's index. | ||
|
|
||
| ### Model access control considerations | ||
|
|
||
| For clusters with model access control enabled, the following users can register new model versions for model groups with the specified access levels: |
There was a problem hiding this comment.
How about add a link to the cluster setting for model access control enabled ? So user can know how to enable model access control
There was a problem hiding this comment.
Ignore the comment, see line 171 already has a link to model access control page.
ylwu-amzn
reviewed
Jun 8, 2023
_ml-commons-plugin/api.md
Outdated
| "description": "test model", | ||
| "model_format": "TORCH_SCRIPT", | ||
| "model_group_id": "FTNlQ4gBYW0Qyy5ZoxfR", | ||
| "model_content_hash_value": "9376c2ebd7c83f99ec2526323786c348d2382e6d86576f750c89ea544d6bbb14", |
There was a problem hiding this comment.
model_content_hash_value is mandatory, add this field to filed table above? Explain that the hash value is using sha-256
ylwu-amzn
reviewed
Jun 8, 2023
_ml-commons-plugin/api.md
Outdated
| "framework_type": "sentence_transformers", | ||
| "all_config": "{\"_name_or_path\":\"nreimers/MiniLM-L6-H384-uncased\",\"architectures\":[\"BertModel\"],\"attention_probs_dropout_prob\":0.1,\"gradient_checkpointing\":false,\"hidden_act\":\"gelu\",\"hidden_dropout_prob\":0.1,\"hidden_size\":384,\"initializer_range\":0.02,\"intermediate_size\":1536,\"layer_norm_eps\":1e-12,\"max_position_embeddings\":512,\"model_type\":\"bert\",\"num_attention_heads\":12,\"num_hidden_layers\":6,\"pad_token_id\":0,\"position_embedding_type\":\"absolute\",\"transformers_version\":\"4.8.2\",\"type_vocab_size\":2,\"use_cache\":true,\"vocab_size\":30522}" | ||
| }, | ||
| "url": "https://github.com/opensearch-project/ml-commons/raw/2.x/ml-algorithms/src/test/resources/org/opensearch/ml/engine/algorithms/text_embedding/all-MiniLM-L6-v2_torchscript_sentence-transformer.zip?raw=true" |
There was a problem hiding this comment.
This file is in github test code, we add this as the pre-trained model not uploaded to model repo yet.
How about change to https://artifacts.opensearch.org/models/ml-models/huggingface/sentence-transformers/all-MiniLM-L6-v2/1.0.1/torch_script/sentence-transformers_all-MiniLM-L6-v2-1.0.1-torch_script.zip
And the model_content_hash_value change to c15f0d2e62d872be5b5bc6c84d2e0f4921541e29fefbef51d59cc10a8ae30e0f
ylwu-amzn
reviewed
Jun 8, 2023
_ml-commons-plugin/api.md
Outdated
| } | ||
| ``` | ||
|
|
||
| ## Deploying a model | ||
|
|
||
| The deploy model operation reads the model's chunks from the model index and then creates an instance of the model to cache into memory. This operation requires the `model_id`. | ||
|
|
||
| ### Model access control considerations | ||
|
|
||
| For clusters with model access control enabled, the following users can deploy models in model groups with the specified access levels: |
There was a problem hiding this comment.
This part seems same with register model API. Actually model access control will be applied to all APIs for uploaded model. Maybe we don't need to specifically mention the access control for register and deploy model API.
ylwu-amzn
reviewed
Jun 8, 2023
| "created_time" : 1665961344044, | ||
| "last_uploaded_time" : 1665961373000, | ||
| "last_loaded_time" : 1665961815959, | ||
| "total_chunks" : 9 | ||
| } | ||
| ``` | ||
|
|
||
| ## Registering a model |
There was a problem hiding this comment.
Add register model group API? User need to register model group first, then register model version to model group.
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
rbhavna
reviewed
Jun 13, 2023
| "last_updated_time": 1684362571300, | ||
| "name": "model_group_test", | ||
| "description": "This is an example description", | ||
| "tags": { |
There was a problem hiding this comment.
Can we remove the tags fields and the keys from this response? We actually removed this field and this happened to be an old response.
rbhavna
reviewed
Jun 13, 2023
|
|
||
| - `public`: All users who have access to the cluster can access this model group. | ||
| - `private`: Only the model owner or an admin user can access this model group. | ||
| - `restricted`: The owner, an admin user, or any user who shares one of the model group's backend roles can access any model in this model group. When creating a `restricted` model group, the owner must attach one or more of the owner's backend roles to the model. For a user to be able to access a model group, one of the user's backend roles must match one of the model group's backend roles. |
There was a problem hiding this comment.
Maybe remove the last line here. It seems the same as first sentence.
Signed-off-by: Fanit Kolchina <[email protected]>
rbhavna
approved these changes
Jun 13, 2023
Signed-off-by: Fanit Kolchina <[email protected]>
cwillum
reviewed
Jun 14, 2023
_ml-commons-plugin/api.md
Outdated
|
|
||
| - `public` model group: Any user. | ||
| - `restricted` model group: Only the model owner or users with at least one backend role matching one of the backend roles of this model group. | ||
| - `private` model group: Only the model owner. |
There was a problem hiding this comment.
Is there an extra space in front of private?
| Only admin users can assign backend roles to users. | ||
| {: .note} | ||
|
|
||
| For example, consider two users: `alice` and `bob`. |
There was a problem hiding this comment.
I would set up this example with different language. Something like, "When assigning backend roles, consider the following example:"
And I think the language from the Security Analytics Security page would fit better here, too (same example but worded better).
https://opensearch.org/docs/latest/security-analytics/security/
Signed-off-by: Fanit Kolchina <[email protected]>
Co-authored-by: Chris Moore <[email protected]> Signed-off-by: kolchfa-aws <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
|
@cwillum Reworded and implemented comments. Please review again when you get a chance. Thanks! |
vagimeli
reviewed
Jun 16, 2023
_ml-commons-plugin/api.md
Outdated
|
|
||
| In order to train tasks through the API, three inputs are required. | ||
| In order to train tasks through the API, three inputs are required: |
There was a problem hiding this comment.
Suggested change
| In order to train tasks through the API, three inputs are required: | |
| To train tasks through the API, three inputs are required: |
_ml-commons-plugin/api.md
Outdated
|
|
||
| - Algorithm name: Must be one of a [FunctionName](https://github.com/opensearch-project/ml-commons/blob/1.3/common/src/main/java/org/opensearch/ml/common/parameter/FunctionName.java). This determines what algorithm the ML Engine runs. To add a new function, see [How To Add a New Function](https://github.com/opensearch-project/ml-commons/blob/main/docs/how-to-add-new-function.md). | ||
| - Model hyper parameters: Adjust these parameters to make the model train better. | ||
| - Model hyperparameters: Adjust these parameters to make the model train better. |
There was a problem hiding this comment.
Suggested rewrite: "Model hyperparameters: Adjust these parameters to improve model accuracy."
_ml-commons-plugin/api.md
Outdated
|
|
||
| - Algorithm name: Must be one of a [FunctionName](https://github.com/opensearch-project/ml-commons/blob/1.3/common/src/main/java/org/opensearch/ml/common/parameter/FunctionName.java). This determines what algorithm the ML Engine runs. To add a new function, see [How To Add a New Function](https://github.com/opensearch-project/ml-commons/blob/main/docs/how-to-add-new-function.md). | ||
| - Model hyper parameters: Adjust these parameters to make the model train better. | ||
| - Model hyperparameters: Adjust these parameters to make the model train better. | ||
| - Input data: The data input that trains the ML model, or applies the ML models to predictions. You can input data in two ways, query against your index or use data frame. |
There was a problem hiding this comment.
Suggested change
| - Input data: The data input that trains the ML model, or applies the ML models to predictions. You can input data in two ways, query against your index or use data frame. | |
| - Input data: The data that trains the ML model, or applies the ML models to predictions. You can input data in two ways, query against your index or use a data frame. |
| ``` | ||
| {% include copy-curl.html %} | ||
|
|
||
| The response contains the model ID of the model version: |
There was a problem hiding this comment.
Suggested change
| The response contains the model ID of the model version: | |
| The response contains the model ID of the model version: |
Suggested change
| The response contains the model ID of the model version: | |
| The response contains the `model_ID` of the model version: |
There was a problem hiding this comment.
Similarly to the above comment, I think it's ok.
_ml-commons-plugin/api.md
Outdated
| model_id | string | Returns runtime data for a specific model. You can string together multiple `model_id`s to return multiple model profiles. | ||
| tasks | string | Returns runtime data for a specific task. You can string together multiple `task_id`s to return multiple task profiles. | ||
| model_id | String | Returns runtime data for a specific model. You can string together multiple `model_id`s to return multiple model profiles. | ||
| tasks | String | Returns runtime data for a specific task. You can string together multiple `task_id`s to return multiple task profiles. |
There was a problem hiding this comment.
Should "tasks" be task_id? Or, model_id be "models?" See lines 514 and 515.
There was a problem hiding this comment.
tasks is correct. I put everything in tic marks though.
_ml-commons-plugin/index.md
Outdated
| @@ -13,17 +13,16 @@ ML Commons for OpenSearch eases the development of machine learning features by | |||
|
|
|||
| Interaction with the ML Commons plugin occurs through either the [REST API]({{site.url}}{{site.baseurl}}/ml-commons-plugin/api) or [`ad`]({{site.url}}{{site.baseurl}}/search-plugins/sql/ppl/functions#ad) and [`kmeans`]({{site.url}}{{site.baseurl}}/search-plugins/sql/ppl/functions#kmeans) Piped Processing Language (PPL) commands. | |||
|
|
|||
| Models [trained]({{site.url}}{{site.baseurl}}/ml-commons-plugin/api#train-model) through the ML Commons plugin support model-based algorithms such as kmeans. After you've trained a model enough so that it meets your precision requirements, you can apply the model to [predict]({{site.url}}{{site.baseurl}}/ml-commons-plugin/api#predict) new data safely. | |||
| Models [trained]({{site.url}}{{site.baseurl}}/ml-commons-plugin/api#train-model) through the ML Commons plugin support model-based algorithms such as k-means. After you've trained a model enough so that it meets your precision requirements, you can apply the model to [predict]({{site.url}}{{site.baseurl}}/ml-commons-plugin/api#predict) new data safely. | |||
There was a problem hiding this comment.
Line 12: Define ML on first mention as follows: "ML Commons for...of machine learning (ML)..."
Signed-off-by: Fanit Kolchina <[email protected]>
Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: kolchfa-aws <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
vagimeli
approved these changes
Jun 19, 2023
Signed-off-by: Fanit Kolchina <[email protected]>
vagimeli
added a commit
that referenced
this pull request
Jun 22, 2023
* Add model access control documentation for ML Commons Signed-off-by: Fanit Kolchina <[email protected]> * Remove permissions for delete API Signed-off-by: Fanit Kolchina <[email protected]> * Add copy buttons Signed-off-by: Fanit Kolchina <[email protected]> * Updated model-level APIs Signed-off-by: Fanit Kolchina <[email protected]> * Add delete model Signed-off-by: Fanit Kolchina <[email protected]> * Reworded role-related text Signed-off-by: Fanit Kolchina <[email protected]> * Implemented tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Rewording Signed-off-by: Fanit Kolchina <[email protected]> * Remove experimental warning Signed-off-by: Fanit Kolchina <[email protected]> * Register a model group in note format Signed-off-by: Fanit Kolchina <[email protected]> * Implement tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Resolved Vale comments Signed-off-by: Fanit Kolchina <[email protected]> * Remove space Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Chris Moore <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Implemented doc review feedback Signed-off-by: Fanit Kolchina <[email protected]> * Implemented editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Fix links Signed-off-by: Fanit Kolchina <[email protected]> * Fix more links Signed-off-by: Fanit Kolchina <[email protected]> --------- Signed-off-by: Fanit Kolchina <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> Co-authored-by: Chris Moore <[email protected]> Co-authored-by: Melissa Vagi <[email protected]>
kolchfa-aws
added
the
release-notes
vagimeli
added a commit
that referenced
this pull request
Aug 24, 2023
* Add model access control documentation for ML Commons Signed-off-by: Fanit Kolchina <[email protected]> * Remove permissions for delete API Signed-off-by: Fanit Kolchina <[email protected]> * Add copy buttons Signed-off-by: Fanit Kolchina <[email protected]> * Updated model-level APIs Signed-off-by: Fanit Kolchina <[email protected]> * Add delete model Signed-off-by: Fanit Kolchina <[email protected]> * Reworded role-related text Signed-off-by: Fanit Kolchina <[email protected]> * Implemented tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Rewording Signed-off-by: Fanit Kolchina <[email protected]> * Remove experimental warning Signed-off-by: Fanit Kolchina <[email protected]> * Register a model group in note format Signed-off-by: Fanit Kolchina <[email protected]> * Implement tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Resolved Vale comments Signed-off-by: Fanit Kolchina <[email protected]> * Remove space Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Chris Moore <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Implemented doc review feedback Signed-off-by: Fanit Kolchina <[email protected]> * Implemented editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Fix links Signed-off-by: Fanit Kolchina <[email protected]> * Fix more links Signed-off-by: Fanit Kolchina <[email protected]> --------- Signed-off-by: Fanit Kolchina <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> Co-authored-by: Chris Moore <[email protected]> Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Melissa Vagi <[email protected]>
vagimeli
added a commit
that referenced
this pull request
Aug 24, 2023
This reverts commit e69009b. Signed-off-by: Melissa Vagi <[email protected]>
harshavamsi
pushed a commit
to harshavamsi/documentation-website
that referenced
this pull request
Oct 31, 2023
…ject#4223) * Add model access control documentation for ML Commons Signed-off-by: Fanit Kolchina <[email protected]> * Remove permissions for delete API Signed-off-by: Fanit Kolchina <[email protected]> * Add copy buttons Signed-off-by: Fanit Kolchina <[email protected]> * Updated model-level APIs Signed-off-by: Fanit Kolchina <[email protected]> * Add delete model Signed-off-by: Fanit Kolchina <[email protected]> * Reworded role-related text Signed-off-by: Fanit Kolchina <[email protected]> * Implemented tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Rewording Signed-off-by: Fanit Kolchina <[email protected]> * Remove experimental warning Signed-off-by: Fanit Kolchina <[email protected]> * Register a model group in note format Signed-off-by: Fanit Kolchina <[email protected]> * Implement tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Resolved Vale comments Signed-off-by: Fanit Kolchina <[email protected]> * Remove space Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Chris Moore <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Implemented doc review feedback Signed-off-by: Fanit Kolchina <[email protected]> * Implemented editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Fix links Signed-off-by: Fanit Kolchina <[email protected]> * Fix more links Signed-off-by: Fanit Kolchina <[email protected]> --------- Signed-off-by: Fanit Kolchina <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> Co-authored-by: Chris Moore <[email protected]> Co-authored-by: Melissa Vagi <[email protected]>
vagimeli
added a commit
that referenced
this pull request
Dec 21, 2023
* Add model access control documentation for ML Commons Signed-off-by: Fanit Kolchina <[email protected]> * Remove permissions for delete API Signed-off-by: Fanit Kolchina <[email protected]> * Add copy buttons Signed-off-by: Fanit Kolchina <[email protected]> * Updated model-level APIs Signed-off-by: Fanit Kolchina <[email protected]> * Add delete model Signed-off-by: Fanit Kolchina <[email protected]> * Reworded role-related text Signed-off-by: Fanit Kolchina <[email protected]> * Implemented tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Rewording Signed-off-by: Fanit Kolchina <[email protected]> * Remove experimental warning Signed-off-by: Fanit Kolchina <[email protected]> * Register a model group in note format Signed-off-by: Fanit Kolchina <[email protected]> * Implement tech review comments Signed-off-by: Fanit Kolchina <[email protected]> * Resolved Vale comments Signed-off-by: Fanit Kolchina <[email protected]> * Remove space Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Chris Moore <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Implemented doc review feedback Signed-off-by: Fanit Kolchina <[email protected]> * Implemented editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Add more editorial comments Signed-off-by: Fanit Kolchina <[email protected]> * Fix links Signed-off-by: Fanit Kolchina <[email protected]> * Fix more links Signed-off-by: Fanit Kolchina <[email protected]> --------- Signed-off-by: Fanit Kolchina <[email protected]> Signed-off-by: kolchfa-aws <[email protected]> Co-authored-by: Chris Moore <[email protected]> Co-authored-by: Melissa Vagi <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3514
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.