IT Security Tests for model access control (#1095) (#1097)

* IT Security Tests for model access control Signed-off-by: Bhavana Ramaram <[email protected]> * Fix assertion error Signed-off-by: Bhavana Ramaram <[email protected]> * Fix format violations Signed-off-by: Bhavana Ramaram <[email protected]> --------- Signed-off-by: Bhavana Ramaram <[email protected]> (cherry picked from commit e752968) Co-authored-by: Bhavana Ramaram <[email protected]>
opensearch-project · Jul 12, 2023 · c6e881d · c6e881d
1 parent 11a3571
commit c6e881d
Show file tree

Hide file tree

Showing 5 changed files with 1,067 additions and 146 deletions.
diff --git a/...n/src/main/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupAction.java b/...n/src/main/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupAction.java
@@ -218,7 +218,7 @@ private void validateRequestForAccessControl(MLUpdateModelGroupInput input, User
             && !modelAccessControlHelper.isAdmin(user)
             && !modelAccessControlHelper.isOwnerStillHasPermission(user, mlModelGroup)) {
             throw new IllegalArgumentException(
-                "You don’t have the specified backend role to update access control data. For more information, contact your administrator."
+                "You don’t have the specified backend role to update this model group. For more information, contact your administrator."
             );
         }
         AccessMode accessMode = input.getModelAccessMode();
@@ -258,7 +258,9 @@ private boolean hasAccessControlChange(MLUpdateModelGroupInput input) {
     }
 
     private void validateSecurityDisabledOrModelAccessControlDisabled(MLUpdateModelGroupInput input) {
-        if (input.getModelAccessMode() != null || input.getIsAddAllBackendRoles() != null || input.getBackendRoles() != null) {
+        if (input.getModelAccessMode() != null
+            || input.getIsAddAllBackendRoles() != null
+            || !CollectionUtils.isEmpty(input.getBackendRoles())) {
             throw new IllegalArgumentException(
                 "You cannot specify model access control parameters because the Security plugin or model access control is disabled on your cluster."
             );

diff --git a/.../test/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupActionTests.java b/.../test/java/org/opensearch/ml/action/model_group/TransportUpdateModelGroupActionTests.java
@@ -172,7 +172,7 @@ public void test_OwnerNoMoreHasPermissionException() {
         ArgumentCaptor<Exception> argumentCaptor = ArgumentCaptor.forClass(Exception.class);
         verify(actionListener).onFailure(argumentCaptor.capture());
         assertEquals(
-            "You don’t have the specified backend role to update access control data. For more information, contact your administrator.",
+            "You don’t have the specified backend role to update this model group. For more information, contact your administrator.",
             argumentCaptor.getValue().getMessage()
         );
     }

diff --git a/plugin/src/test/java/org/opensearch/ml/rest/MLCommonsRestTestCase.java b/plugin/src/test/java/org/opensearch/ml/rest/MLCommonsRestTestCase.java
@@ -657,13 +657,14 @@ public MLRegisterModelInput createRegisterModelInput(String modelGroupID) {
     }
 
     public MLRegisterModelGroupInput createRegisterModelGroupInput(
+        String name,
         List<String> backendRoles,
         AccessMode modelAccessMode,
         Boolean isAddAllBackendRoles
     ) {
         return MLRegisterModelGroupInput
             .builder()
-            .name("modelGroupName")
+            .name(name)
             .description("This is a test model group")
             .backendRoles(backendRoles)
             .modelAccessMode(modelAccessMode)