[ML] Improve EIS auth call logs and fix revocation bug #132546
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonathan-buttner
added
>bug
:ml
|
Hi @jonathan-buttner, I've created a changelog YAML for you. |
jonathan-buttner
commented
Aug 7, 2025
| logger.debug(() -> Strings.format("Authorization entity limited to service task types, %s", authorizedTaskTypesAndModels)); | ||
|
|
||
| // recalculate which default config ids and models are authorized now | ||
| var authorizedDefaultModelIds = getAuthorizedDefaultModelIds(auth); |
There was a problem hiding this comment.
The bug is here and the line below where we reference auth instead of authorizedTaskTypesAndModels. In the fixed version we're using the auth.newLimitedToTaskTypes response instead.
| ElasticInferenceServiceAuthorizationModel.of( | ||
| new ElasticInferenceServiceAuthorizationResponseEntity( | ||
| List.of( | ||
| new ElasticInferenceServiceAuthorizationResponseEntity.AuthorizedModel( |
There was a problem hiding this comment.
Previously the first response was merged with the second auth response. Now the latest successful auth response dictates the auth so we need to repeat the model again in the second response for this test.
| listener.onResponse(ElasticInferenceServiceAuthorizationModel.newDisabledService()); | ||
|
|
||
| logger.warn(errorMessage); | ||
| listener.onFailure(new ElasticsearchException(errorMessage)); |
There was a problem hiding this comment.
We're now returning an error when a failure occurs. The caller will ignore the error and it will not affect the authorization. This way we can differentiate between a failure authorization and a successful one. Whenever onResponse is called we'll use that response object as the source of truth for authorization.
|
Pinging @elastic/ml-core (Team:ML) |
prwhelan
approved these changes
Aug 11, 2025
| logger.debug("Received authorization response"); | ||
| var authorizedTaskTypesAndModels = authorizedContent.get().taskTypesAndModels.merge(auth) | ||
| .newLimitedToTaskTypes(EnumSet.copyOf(implementedTaskTypes)); | ||
| logger.debug(() -> Strings.format("Received authorization response, %s", auth)); |
There was a problem hiding this comment.
For future reference, loggers have a formatter, I believe, something like:
logger.debug("Received authorization response, {}", auth);
|
|
||
| @Override | ||
| public String toString() { | ||
| return String.join(", ", authorizedModels.stream().map(AuthorizedModel::toString).toList()); |
There was a problem hiding this comment.
Suggested change
| return String.join(", ", authorizedModels.stream().map(AuthorizedModel::toString).toList()); | |
| return authorizedModels.stream().map(AuthorizedModel::toString).collect(Collectors.joining(", ")); |
…elasticsearch into inference-log-eis-auth
This was referenced Aug 11, 2025
jonathan-buttner
added a commit
to jonathan-buttner/elasticsearch
that referenced
this pull request
Aug 11, 2025
* Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]>
jonathan-buttner
added a commit
to jonathan-buttner/elasticsearch
that referenced
this pull request
Aug 11, 2025
* Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]>
jonathan-buttner
added a commit
to jonathan-buttner/elasticsearch
that referenced
this pull request
Aug 11, 2025
* Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 11, 2025
…2690) * Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 11, 2025
…2691) * Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 13, 2025
#132693) * [ML] Improve EIS auth call logs and fix revocation bug (#132546) * Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]> * Fixing mock registry --------- Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 13, 2025
… (#132692) * [ML] Improve EIS auth call logs and fix revocation bug (#132546) * Fixing revoking and adding logs * Fixing tests * Update docs/changelog/132546.yaml * [CI] Auto commit changes from spotless * Addressing feedback --------- Co-authored-by: elasticsearchmachine <[email protected]> * Fixing mock registry --------- Co-authored-by: elasticsearchmachine <[email protected]>
szybia
added a commit
to szybia/elasticsearch
that referenced
this pull request
Aug 15, 2025
* upstream/8.19: (62 commits) Use consistent terminology for transport version resources/references (elastic#132882) (elastic#132898) Move inner records out of TransportVersionUtils (elastic#132872) (elastic#132886) Forward port release notes for v8.18.5 (elastic#132758) Add more transport version files validation (elastic#132373) (elastic#132777) Forward port release notes for v8.17.10 (elastic#132760) Refactor TransportVersion loading to support external consumers (elastic#132694) (elastic#132862) manual backporting| (elastic#132783) 9.1 docs backports for 8.19 features (elastic#132605) Migrate x-pack-deprecation REST tests (elastic#131444) (elastic#132802) Update 8.19.1.asciidoc (elastic#132755) Update wolfi (versioned) (elastic#132752) Update 8.19.0.asciidoc (elastic#132754) Prune changelogs after 8.19.2 release Bump versions after 8.19.2 release Finalize release notes for v8.19.2 Bump versions after 8.17.10 release Prune changelogs after 8.18.5 release Bump versions after 8.18.5 release Add release notes for v8.19.2 release (elastic#132696) [ML] Improve EIS auth call logs and fix revocation bug (elastic#132546) (elastic#132690) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds some logging to the EIS authorization call to help debugging authorization failures. While I was doing that I found a bug and made some improvements. The bug was that we didn't use the "merged" authorization object for the revoking but we use it for determining whether the service supports streaming and which task types.
After talking with the team we decided we don't need to merge the previous authorization object with the newly retrieved one. That way when we get a successful response it is always the source of truth. This also means we don't need a node reboot to perform revocation.
I'm backporting this to when we added the periodic auth call in this PR: #123639
New logs
Here's an example of what the logs will look like
Testing
Modify the acl that EIS returns in this file to change which models are authorized:
eis_dir/acl/acl.yamlExecute EIS locally:
Run ES pointing to EIS
Change how often ES polls for authorization
Then you can stop EIS, modify the ACL file and restart it and ES will pickup the change.
Then use
GET _inference/_allto retrieve the authorized default endpoints to ensure they match what EIS is returning.