Skip to content

[FEATURE] Add an option to turn on and off the certificate validation of llm connectors #4394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
akolarkunnu wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[FEATURE] Add an option to turn on and off the certificate validation of llm connectors #4394

akolarkunnu wants to merge 5 commits into from
+34 −7

Conversation

@akolarkunnu
Copy link
Contributor

@akolarkunnu akolarkunnu commented Nov 4, 2025
edited by coderabbitai bot
Loading

Description

Introduced a new connector parameter "skip_ssl_verification" to enable/disable ssl verification of llm connectors.

Tested with and without setting this parameter and I am able to connect a lll server by disabling ssl verification.

Related Issues

Resolves #4371

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR - will create it

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

  • New Features

    • Added support for skipping SSL certificate verification for remote connectors (AWS and HTTP JSON).

  • API Updates

    • HTTP client factory now accepts an additional option to control SSL verification; connector interfaces expose a parameter key for this setting.

  • Tests

    • Tests updated to cover the SSL verification toggle.

✏️ Tip: You can customize this high-level summary in your review settings.

@ylwu-amzn
Copy link
Collaborator

ylwu-amzn commented Nov 5, 2025

Thanks for publishing this PR.
Spotless check failed, can you run ./gradlew spotlessApply ?

@ylwu-amzn
Copy link
Collaborator

ylwu-amzn commented Nov 5, 2025

Introduced a new setting parameter "plugins.ml_commons.connector.ssl_verification_enabled" to enable/disable ssl verification of llm connectors.

Another option: control enable/disable SSL on connector level

rithin-pullela-aws
rithin-pullela-aws reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

@rithin-pullela-aws rithin-pullela-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes @akolarkunnu !!

Just one high level concern, we call the flag: connector.ssl_verification_enabled
So it should be applicable to all the connectors.

Can we update the MCP and MCPStreamableHTTP connectors with the same logic for SSL validation? We are using java http client behind the scenes:

            // Create streamable HTTP transport
            McpClientTransport transport = HttpClientStreamableHttpTransport
                .builder(mcpServerUrl)
                .endpoint(endpoint)
                .customizeClient(clientBuilder -> {
                    clientBuilder.connectTimeout(connectionTimeout);
                    clientBuilder.followRedirects(HttpClient.Redirect.NORMAL);
                })
                .customizeRequest(headerConfig)
                .build();

@coderabbitai
Copy link

coderabbitai bot commented Dec 7, 2025
edited
Loading

Walkthrough

Adds a new boolean parameter skipSslVerification to the HTTP client factory and propagates it through connector executors; introduces a SKIP_SSL_VERIFICATION constant on the connector interface and updates tests to exercise both values.

Changes

Cohort / File(s) Summary
HTTP Client Factory
common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java		 Added skipSslVerification parameter to getAsyncHttpClient; wired into Netty client via buildWithDefaults(AttributeMap.builder().put(SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES, skipSslVerification).build()); added imports and a warning log when true.
Factory Tests
common/src/test/java/org/opensearch/ml/common/httpclient/MLHttpClientFactoryTests.java		 Updated test calls to pass the new boolean; added assertions and invoked the factory with both true and false values.
Connector Interface
ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteConnectorExecutor.java		 Added public constant SKIP_SSL_VERIFICATION = "skip_ssl_verification".
Connector Executors
ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/AwsConnectorExecutor.java, ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/HttpJsonConnectorExecutor.java		 Read SKIP_SSL_VERIFICATION from connector parameters (default false) and pass skipSslVerification into MLHttpClientFactory.getAsyncHttpClient(...) (now a 5-arg call).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review focus:
    • MLHttpClientFactory.java — verify correct use of AttributeMap and SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES.
    • Executors (AwsConnectorExecutor, HttpJsonConnectorExecutor) — ensure parameter extraction defaults to false and is forwarded correctly.
    • RemoteConnectorExecutor — confirm adding the constant is API-stable and documented.
    • Tests — validate they meaningfully exercise both code paths and logging behavior.

Poem

🐇 I hopped through configs, boolean in paw,

Skipping TLS checks for networks I saw.
A gentle warning I softly deliver,
Trust or not — the choice now is vicker.
Hooray for connectors; secure or forgiven!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 5.26% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding an option to control certificate validation for LLM connectors, which matches the core functionality of this PR.
Description check ✅ Passed The description follows the template structure with all required sections (Description, Related Issues, Check List) completed and signed declaration. The description accurately captures the main change and checklist items are marked complete.
Linked Issues check ✅ Passed The PR implements the feature requested in #4371 by adding skip_ssl_verification parameter to control certificate verification in LLM connectors, matching the linked issue's core requirement.
Out of Scope Changes check ✅ Passed All code changes are directly related to implementing the SSL verification toggle feature for connectors as specified in #4371, with no extraneous modifications detected.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between de4ce11 and 2d657e9.

📒 Files selected for processing (1)
  • common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: spotless
🔇 Additional comments (3)
common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (3)

13-13: LGTM! Necessary imports added.

The new imports support the SSL verification configuration functionality.

Also applies to: 16-16

29-43: Excellent security warning implementation.

The warning log effectively addresses the previous review feedback by clearly alerting operators when SSL verification is disabled. The message appropriately emphasizes the security risk and provides guidance to only use this in trusted environments. The updated debug log will aid in troubleshooting.

44-53: LGTM! Correct implementation of SSL verification control.

The TRUST_ALL_CERTIFICATES configuration is properly mapped to the skipSslVerification parameter. When skipSslVerification is true, certificate validation is disabled as intended. The implementation follows the AWS SDK pattern correctly.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 7, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (5)
common/src/main/java/org/opensearch/ml/common/settings/MLCommonsSettings.java (1)

487-489: Global connector SSL verification flag is wired correctly

The setting name, default (true), scope, and dynamic behavior are consistent with other ML Commons flags and the stated requirements. Be sure to clearly document that setting this to false disables certificate verification cluster‑wide for connector traffic, as this is a high‑risk security toggle.

plugin/src/test/java/org/opensearch/ml/settings/MLFeatureEnabledSettingTests.java (1)

31-31: ClusterSettings wiring for connector SSL flag looks correct

Registering ML_COMMONS_CONNECTOR_SSL_VERIFICATION_ENABLED in ClusterSettings matches how other feature flags are handled and is required for dynamic updates. You may also want to extend these tests to assert mlFeatureEnabledSetting.isConnectorSslVerificationEnabled() in the “all features enabled / some disabled” scenarios, similar to other flags.

Also applies to: 84-85

common/src/main/java/org/opensearch/ml/common/settings/MLFeatureEnabledSetting.java (1)

25-25: Import ordering is inconsistent with the rest of the file.

The new static import should be placed alphabetically between ML_COMMONS_CONNECTOR_PRIVATE_IP_ENABLED and ML_COMMONS_CONTROLLER_ENABLED (around line 11) rather than at the end.

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/HttpJsonConnectorExecutor.java (1)

77-78: Consider adding volatile for consistency with connectorPrivateIpEnabled.

The connectorPrivateIpEnabled field (line 76) is marked volatile, but connectorSslVerificationEnabled is not. While the HTTP client is lazily initialized once and subsequent changes may not take effect immediately, using volatile would be consistent with the existing pattern and ensure visibility across threads.

 @Setter
-private boolean connectorSslVerificationEnabled;
+private volatile boolean connectorSslVerificationEnabled;
common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (1)

29-35: Include SSL verification status in debug log.

The debug log would benefit from including the connectorSslVerificationEnabled parameter to aid in troubleshooting connection issues.

Apply this diff:

             log
                 .debug(
-                    "Creating MLHttpClient with connectionTimeout: {}, readTimeout: {}, maxConnections: {}",
+                    "Creating MLHttpClient with connectionTimeout: {}, readTimeout: {}, maxConnections: {}, sslVerificationEnabled: {}",
                     connectionTimeout,
                     readTimeout,
-                    maxConnections
+                    maxConnections,
+                    connectorSslVerificationEnabled
                 );
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6de6889 and 3027319.

📒 Files selected for processing (14)
  • common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (3 hunks)
  • common/src/main/java/org/opensearch/ml/common/settings/MLCommonsSettings.java (1 hunks)
  • common/src/main/java/org/opensearch/ml/common/settings/MLFeatureEnabledSetting.java (5 hunks)
  • common/src/test/java/org/opensearch/ml/common/httpclient/MLHttpClientFactoryTests.java (1 hunks)
  • common/src/test/java/org/opensearch/ml/common/settings/MLCommonsSettingsTests.java (1 hunks)
  • common/src/test/java/org/opensearch/ml/common/settings/MLFeatureEnabledSettingTests.java (5 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/AwsConnectorExecutor.java (2 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/HttpJsonConnectorExecutor.java (2 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteConnectorExecutor.java (1 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteModel.java (2 hunks)
  • plugin/src/main/java/org/opensearch/ml/action/connector/ExecuteConnectorTransportAction.java (1 hunks)
  • plugin/src/main/java/org/opensearch/ml/model/MLModelManager.java (2 hunks)
  • plugin/src/main/java/org/opensearch/ml/plugin/MachineLearningPlugin.java (1 hunks)
  • plugin/src/test/java/org/opensearch/ml/settings/MLFeatureEnabledSettingTests.java (2 hunks)
🧰 Additional context used
🧬 Code graph analysis (3)
common/src/test/java/org/opensearch/ml/common/settings/MLCommonsSettingsTests.java (1)
common/src/main/java/org/opensearch/ml/common/settings/MLCommonsSettings.java (1)
  • MLCommonsSettings (24-490)
common/src/test/java/org/opensearch/ml/common/settings/MLFeatureEnabledSettingTests.java (1)
common/src/main/java/org/opensearch/ml/common/settings/MLCommonsSettings.java (1)
  • MLCommonsSettings (24-490)
plugin/src/test/java/org/opensearch/ml/settings/MLFeatureEnabledSettingTests.java (1)
common/src/main/java/org/opensearch/ml/common/settings/MLCommonsSettings.java (1)
  • MLCommonsSettings (24-490)
🪛 GitHub Actions: Build and Test ml-commons
ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteModel.java

[error] 128-128: spotlessJavaCheck failed: formatting violations detected in RemoteModel.java. Run './gradlew :opensearch-ml-algorithms:spotlessApply' to fix.

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/HttpJsonConnectorExecutor.java

[error] 185-185: spotlessJavaCheck failed: formatting violations detected in HttpJsonConnectorExecutor.java. Run './gradlew :opensearch-ml-algorithms:spotlessApply' to fix.

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/AwsConnectorExecutor.java

[error] 196-196: spotlessJavaCheck failed: formatting violations detected in AwsConnectorExecutor.java. Run './gradlew :opensearch-ml-algorithms:spotlessApply' to fix.

🔇 Additional comments (11)
plugin/src/main/java/org/opensearch/ml/model/MLModelManager.java (1)

45-45: Connector SSL verification flag correctly propagated to remote models

Importing CONNECTOR_SSL_VERIFICATION_ENABLED and adding it to setUpParameterMap from mlFeatureEnabledSetting.isConnectorSslVerificationEnabled() cleanly wires the new setting into remote model deployment. Note this value is captured when the params map is built (deploy/update‑cache time); changing the cluster setting later won’t affect already‑initialized RemoteModel instances until they’re redeployed or their cache is refreshed.

Also applies to: 1512-1514

plugin/src/main/java/org/opensearch/ml/plugin/MachineLearningPlugin.java (1)

1367-1368: Exposing connector SSL verification setting via plugin is correct

Adding ML_COMMONS_STREAM_ENABLED and ML_COMMONS_CONNECTOR_SSL_VERIFICATION_ENABLED to getSettings() correctly surfaces these feature flags as configurable OpenSearch settings. No issues noted.

common/src/test/java/org/opensearch/ml/common/settings/MLCommonsSettingsTests.java (1)

111-114: Good default-coverage test for connector SSL verification flag

The new test correctly verifies that ML_COMMONS_CONNECTOR_SSL_VERIFICATION_ENABLED defaults to true, matching the intended secure‑by‑default behavior.

plugin/src/main/java/org/opensearch/ml/action/connector/ExecuteConnectorTransportAction.java (1)

84-88: SSL verification flag correctly applied to connector executors

Passing mlFeatureEnabledSetting.isConnectorSslVerificationEnabled() into setConnectorSslVerificationEnabled ensures execute‑connector requests honor the global toggle, consistent with the remote‑model path. Behavior for implementations that don’t override the setter remains unchanged.

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteConnectorExecutor.java (1)

187-188: Default SSL verification setter on RemoteConnectorExecutor is appropriate

Adding a no-op default setConnectorSslVerificationEnabled(boolean) keeps existing implementations binary-compatible while allowing HTTP-based executors to opt in and honor the flag. This aligns with how other optional setters on the interface are handled.

common/src/main/java/org/opensearch/ml/common/settings/MLFeatureEnabledSetting.java (1)

67-68: LGTM!

The feature flag implementation follows the established pattern: volatile field, initialization from settings, cluster settings update consumer, and getter. The wiring is consistent with other feature flags in this class.

Also applies to: 89-89, 116-116, 253-256

common/src/test/java/org/opensearch/ml/common/settings/MLFeatureEnabledSettingTests.java (1)

51-52: LGTM!

Test coverage appropriately validates:

  1. Setting registration in ClusterSettings
  2. Enabled state when explicitly set to true
  3. Disabled state when explicitly set to false

This is consistent with the testing patterns for other feature flags in this class.

Also applies to: 78-78, 98-98, 121-121, 141-141

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/AwsConnectorExecutor.java (1)

85-87: LGTM!

The new field and setter follow the same pattern as connectorPrivateIpEnabled in this class. The implementation correctly integrates with the SSL verification feature.

common/src/test/java/org/opensearch/ml/common/httpclient/MLHttpClientFactoryTests.java (1)

18-24: LGTM!

The test appropriately validates both true (SSL verification enabled) and false (SSL verification disabled) configurations for the new parameter. This provides basic coverage for the factory method's new signature.

common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (2)

13-13: LGTM!

The new imports are necessary for implementing SSL certificate verification control.

Also applies to: 16-16

21-27: Verify all callers have been updated for the new parameter.

The method signature now includes connectorSslVerificationEnabled. Ensure all callers across the codebase have been updated to pass this parameter. This requires manual inspection of all invocations of getAsyncHttpClient to confirm the parameter is correctly supplied at each call site.

@akolarkunnu akolarkunnu had a problem deploying to ml-commons-cicd-env-require-approval December 7, 2025 11:54 — with GitHub Actions Failure
@akolarkunnu akolarkunnu temporarily deployed to ml-commons-cicd-env-require-approval December 7, 2025 11:54 — with GitHub Actions Inactive
@akolarkunnu akolarkunnu had a problem deploying to ml-commons-cicd-env-require-approval December 7, 2025 11:54 — with GitHub Actions Failure
@akolarkunnu akolarkunnu had a problem deploying to ml-commons-cicd-env-require-approval December 7, 2025 11:54 — with GitHub Actions Error
coderabbitai[bot]
coderabbitai bot reviewed Dec 7, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (2)

29-35: Consider enhancing debug logging.

The debug log message doesn't include the new skipSslVerification parameter, which would be helpful for troubleshooting SSL-related connection issues.

Apply this diff to include the parameter in the log:

             log
                 .debug(
-                    "Creating MLHttpClient with connectionTimeout: {}, readTimeout: {}, maxConnections: {}",
+                    "Creating MLHttpClient with connectionTimeout: {}, readTimeout: {}, maxConnections: {}, skipSslVerification: {}",
                     connectionTimeout,
                     readTimeout,
-                    maxConnections
+                    maxConnections,
+                    skipSslVerification
                 );

41-43: Consider adding security warning when SSL verification is disabled.

A past review suggested adding a warning-level log when skipSslVerification=true to alert operators about the security implications. While the implementation is correct, adding such a warning would improve operational visibility.

Based on past review comments, consider adding:

         return doPrivileged(() -> {
+            if (skipSslVerification) {
+                log.warn(
+                    "SSL certificate verification is DISABLED. This connection is vulnerable to man-in-the-middle attacks. "
+                    + "Only use this setting in trusted environments."
+                );
+            }
             log
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3027319 and de4ce11.

📒 Files selected for processing (5)
  • common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (3 hunks)
  • common/src/test/java/org/opensearch/ml/common/httpclient/MLHttpClientFactoryTests.java (1 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/AwsConnectorExecutor.java (1 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/HttpJsonConnectorExecutor.java (1 hunks)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteConnectorExecutor.java (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/HttpJsonConnectorExecutor.java
🔇 Additional comments (6)
ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/AwsConnectorExecutor.java (3)

193-196: Logic is correct and follows secure-by-default principle.

The implementation correctly defaults to false (SSL verification enabled) and only disables verification when explicitly configured. The use of Boolean.parseBoolean safely handles null or invalid values by returning false.

200-201: Method signature change propagated correctly.

The call to MLHttpClientFactory.getAsyncHttpClient correctly includes the new fifth parameter skipSslVerification.

193-196: The referenced constant SKIP_SSL_VERIFICATION does not exist in RemoteConnectorExecutor or elsewhere in the ml-commons repository.

The code snippet at lines 193-196 references a constant that is not defined in the codebase. Verify that this constant either exists in the current codebase or needs to be defined. While AbstractConnectorExecutor correctly implements the RemoteConnectorExecutor interface, the constant accessibility issue cited in the review is not valid since the constant does not exist in RemoteConnectorExecutor.

Likely an incorrect or invalid review comment.

ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/remote/RemoteConnectorExecutor.java (1)

68-68: LGTM! Clean constant definition.

The constant follows Java naming conventions and provides a centralized definition for the SSL verification parameter key, making it available to all connector implementations.

common/src/test/java/org/opensearch/ml/common/httpclient/MLHttpClientFactoryTests.java (1)

20-24: Test covers both SSL verification modes.

The test correctly exercises both skipSslVerification values (false and true), ensuring the factory method handles both configurations without errors. The assertions verify successful client creation for both modes.

common/src/main/java/org/opensearch/ml/common/httpclient/MLHttpClientFactory.java (1)

25-26: Core SSL verification logic is correct.

The implementation correctly wires skipSslVerification to TRUST_ALL_CERTIFICATES, enabling the requested functionality to disable certificate validation when needed. The parameter defaults to secure behavior (verification enabled) when callers pass false.

Also applies to: 41-43

@codecov
Copy link

codecov bot commented Dec 7, 2025

Codecov Report

❌ Patch coverage is 60.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.22%. Comparing base (6de6889) to head (de4ce11).

Files with missing lines Patch % Lines
...engine/algorithms/remote/AwsConnectorExecutor.java 50.00% 1 Missing and 1 partial ⚠️
...e/algorithms/remote/HttpJsonConnectorExecutor.java 50.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #4394      +/-   ##
============================================
- Coverage     80.22%   80.22%   -0.01%     
- Complexity    10245    10255      +10     
============================================
  Files           858      858              
  Lines         44552    44558       +6     
  Branches       5158     5160       +2     
============================================
+ Hits          35742    35745       +3     
+ Misses         6639     6635       -4     
- Partials       2171     2178       +7
Flag Coverage Δ
ml-commons 80.22% <60.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@akolarkunnu
Fixed coderabbitai comments
2d657e9 
Resolves opensearch-project#4371

Signed-off-by: Abdul Muneer Kolarkunnu <[email protected]>
@akolarkunnu akolarkunnu requested a deployment to ml-commons-cicd-env-require-approval December 8, 2025 02:15 — with GitHub Actions Waiting
@akolarkunnu akolarkunnu requested a deployment to ml-commons-cicd-env-require-approval December 8, 2025 02:15 — with GitHub Actions Waiting
@akolarkunnu akolarkunnu requested a deployment to ml-commons-cicd-env-require-approval December 8, 2025 02:15 — with GitHub Actions Waiting
@akolarkunnu akolarkunnu requested a deployment to ml-commons-cicd-env-require-approval December 8, 2025 02:15 — with GitHub Actions Waiting
@akolarkunnu
Copy link
Contributor Author

akolarkunnu commented Dec 8, 2025
edited
Loading

Introduced a new setting parameter "plugins.ml_commons.connector.ssl_verification_enabled" to enable/disable ssl verification of llm connectors.

Another option: control enable/disable SSL on connector level

Thanks @ylwu-amzn for the suggestion, this approach looks more suitable and convenient here. Introduced a new connector parameter "skip_ssl_verification" to enable/disable ssl verification of llm connectors.

@akolarkunnu
Copy link
Contributor Author

akolarkunnu commented Dec 8, 2025

Thanks for the changes @akolarkunnu !!

Just one high level concern, we call the flag: connector.ssl_verification_enabled So it should be applicable to all the connectors.

Can we update the MCP and MCPStreamableHTTP connectors with the same logic for SSL validation? We are using java http client behind the scenes:

            // Create streamable HTTP transport
            McpClientTransport transport = HttpClientStreamableHttpTransport
                .builder(mcpServerUrl)
                .endpoint(endpoint)
                .customizeClient(clientBuilder -> {
                    clientBuilder.connectTimeout(connectionTimeout);
                    clientBuilder.followRedirects(HttpClient.Redirect.NORMAL);
                })
                .customizeRequest(headerConfig)
                .build();

@rithin-pullela-aws This PR is especially for llm connectors. We will address MCP connectors in separate task, I created task for it #4504

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@dhrubo-os dhrubo-os Awaiting requested review from dhrubo-os dhrubo-os is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@ylwu-amzn ylwu-amzn Awaiting requested review from ylwu-amzn ylwu-amzn is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@sam-herman sam-herman Awaiting requested review from sam-herman sam-herman is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

@pyek-bot pyek-bot Awaiting requested review from pyek-bot pyek-bot is a code owner

+1 more reviewer

@rithin-pullela-aws rithin-pullela-aws rithin-pullela-aws left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Add an option to turn on and off the certificate validation of llm connectors

3 participants

@akolarkunnu @ylwu-amzn @rithin-pullela-aws