Adding enablement service with cluster state

Author: jonathan-buttner

x-pack/plugin/inference/src/main/java/module-info.java

@@ -36,6 +36,7 @@
     requires org.elasticsearch.sslconfig;
     requires org.apache.commons.text;
     requires software.amazon.awssdk.services.sagemakerruntime;
+    requires org.elasticsearch.inference;
 
     exports org.elasticsearch.xpack.inference.action;
     exports org.elasticsearch.xpack.inference.registry;

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/InferenceFeatures.java

@@ -57,10 +57,16 @@ public class InferenceFeatures implements FeatureSpecification {
     public static final NodeFeature INFERENCE_CCM_CACHE = new NodeFeature("inference.ccm.cache");
     public static final NodeFeature SEARCH_USAGE_EXTENDED_DATA = new NodeFeature("search.usage.extended_data");
     public static final NodeFeature INFERENCE_AUTH_POLLER_PERSISTENT_TASK = new NodeFeature("inference.auth_poller.persistent_task");
+    public static final NodeFeature INFERENCE_CCM_ENABLEMENT_SERVICE = new NodeFeature("inference.ccm.enablement_service");
 
     @Override
     public Set<NodeFeature> getFeatures() {
-        return Set.of(INFERENCE_ENDPOINT_CACHE, INFERENCE_CCM_CACHE, INFERENCE_AUTH_POLLER_PERSISTENT_TASK);
+        return Set.of(
+            INFERENCE_ENDPOINT_CACHE,
+            INFERENCE_CCM_CACHE,
+            INFERENCE_AUTH_POLLER_PERSISTENT_TASK,
+            INFERENCE_CCM_ENABLEMENT_SERVICE
+        );
     }
 
     @Override

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/InferencePlugin.java

@@ -155,6 +155,7 @@
 import org.elasticsearch.xpack.inference.services.elastic.authorization.ElasticInferenceServiceAuthorizationRequestHandler;
 import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMAuthenticationApplierFactory;
 import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMCache;
+import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMEnablementService;
 import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMFeature;
 import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMIndex;
 import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMInformedSettings;
@@ -287,6 +288,7 @@ public List<ActionHandler> getActions() {
             new ActionHandler(PutCCMConfigurationAction.INSTANCE, TransportPutCCMConfigurationAction.class),
             new ActionHandler(DeleteCCMConfigurationAction.INSTANCE, TransportDeleteCCMConfigurationAction.class),
             new ActionHandler(CCMCache.ClearCCMCacheAction.INSTANCE, CCMCache.ClearCCMCacheAction.class),
+            // TODO can I remove this?
             new ActionHandler(AuthorizationTaskExecutor.Action.INSTANCE, AuthorizationTaskExecutor.Action.class),
             new ActionHandler(GetInferenceFieldsAction.INSTANCE, TransportGetInferenceFieldsAction.class)
         );
@@ -458,8 +460,9 @@ private CCMRelatedComponents createCCMDependentComponents(
         ModelRegistry modelRegistry,
         CCMFeature ccmFeature
     ) {
+        var ccmEnablementService = new CCMEnablementService(services.clusterService(), services.featureService(), ccmFeature);
         var ccmPersistentStorageService = new CCMPersistentStorageService(services.client());
-        var ccmService = new CCMService(ccmPersistentStorageService, services.client());
+        var ccmService = new CCMService(ccmPersistentStorageService, ccmEnablementService, services.client(), services.projectResolver());
         var ccmAuthApplierFactory = new CCMAuthenticationApplierFactory(ccmFeature, ccmService);
 
         var authorizationHandler = new ElasticInferenceServiceAuthorizationRequestHandler(
@@ -471,6 +474,8 @@ private CCMRelatedComponents createCCMDependentComponents(
         var authTaskExecutor = AuthorizationTaskExecutor.create(
             services.clusterService(),
             services.featureService(),
+            ccmEnablementService,
+            ccmFeature,
             new AuthorizationPoller.Parameters(
                 serviceComponents,
                 authorizationHandler,
@@ -483,14 +488,7 @@ private CCMRelatedComponents createCCMDependentComponents(
             )
         );
         authorizationTaskExecutorRef.set(authTaskExecutor);
-
-        // If CCM is not allowed in this environment then we can initialize the auth poller task because
-        // authentication with EIS will be through certs that are already configured. If CCM configuration is allowed,
-        // we need to wait for the user to provide an API key before we can start polling EIS
-        if (ccmFeature.isCcmSupportedEnvironment() == false) {
-            logger.info("CCM configuration is not permitted - starting EIS authorization task executor");
-            authTaskExecutor.startAndLazyCreateTask();
-        }
+        authTaskExecutor.startAndLazyCreateTask();
 
         return new CCMRelatedComponents(
             List.of(
@@ -616,7 +614,8 @@ public List<NamedWriteableRegistry.Entry> getNamedWriteables() {
                 )
             ),
             InferenceNamedWriteablesProvider.getNamedWriteables(),
-            AuthorizationTaskExecutor.getNamedWriteables()
+            AuthorizationTaskExecutor.getNamedWriteables(),
+            CCMEnablementService.getNamedWriteables()
         ).flatMap(List::stream).toList();
 
     }
@@ -636,7 +635,8 @@ public List<NamedXContentRegistry.Entry> getNamedXContent() {
                     ClearInferenceEndpointCacheAction.InvalidateCacheMetadata::fromXContent
                 )
             ),
-            AuthorizationTaskExecutor.getNamedXContentParsers()
+            AuthorizationTaskExecutor.getNamedXContentParsers(),
+            CCMEnablementService.getNamedXContentParsers()
         ).flatMap(List::stream).toList();
     }
 

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/action/TransportDeleteCCMConfigurationAction.java

@@ -74,6 +74,8 @@ protected void masterOperation(
             return;
         }
 
+        // TODO check that all nodes in the cluster support the feature
+
         var disabledListener = listener.<Void>delegateFailureIgnoreResponseAndWrap(
             delegate -> delegate.onResponse(new CCMEnabledActionResponse(false))
         );

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/action/TransportPutCCMConfigurationAction.java

@@ -75,6 +75,8 @@ protected void masterOperation(
             return;
         }
 
+        // TODO check that all nodes in the cluster support the feature
+
         var enabledListener = listener.<Void>delegateFailureIgnoreResponseAndWrap(
             delegate -> delegate.onResponse(new CCMEnabledActionResponse(true))
         );

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/elastic/authorization/AuthorizationTaskExecutor.java

@@ -10,13 +10,13 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ResourceAlreadyExistsException;
-import org.elasticsearch.ResourceNotFoundException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.ActionType;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.cluster.ClusterChangedEvent;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
+import org.elasticsearch.cluster.metadata.ProjectId;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
@@ -35,14 +35,15 @@
 import org.elasticsearch.persistent.PersistentTasksCustomMetadata;
 import org.elasticsearch.persistent.PersistentTasksExecutor;
 import org.elasticsearch.persistent.PersistentTasksService;
-import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.tasks.TaskId;
 import org.elasticsearch.transport.RemoteTransportException;
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xcontent.NamedXContentRegistry;
 import org.elasticsearch.xcontent.ParseField;
 import org.elasticsearch.xpack.inference.InferenceFeatures;
 import org.elasticsearch.xpack.inference.common.BroadcastMessageAction;
+import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMEnablementService;
+import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMFeature;
 
 import java.io.IOException;
 import java.util.List;
@@ -71,10 +72,14 @@ public class AuthorizationTaskExecutor extends PersistentTasksExecutor<Authoriza
     private final AtomicReference<AuthorizationPoller> currentTask = new AtomicReference<>();
     private final AtomicBoolean running = new AtomicBoolean(false);
     private final FeatureService featureService;
+    private final CCMEnablementService ccmEnablementService;
+    private final CCMFeature ccmFeature;
 
     public static AuthorizationTaskExecutor create(
         ClusterService clusterService,
         FeatureService featureService,
+        CCMEnablementService ccmEnablementService,
+        CCMFeature ccmFeature,
         AuthorizationPoller.Parameters parameters
     ) {
         Objects.requireNonNull(clusterService);
@@ -84,6 +89,8 @@ public static AuthorizationTaskExecutor create(
             clusterService,
             new PersistentTasksService(clusterService, parameters.serviceComponents().threadPool(), parameters.client()),
             featureService,
+            ccmEnablementService,
+            ccmFeature,
             parameters
         );
     }
@@ -93,12 +100,16 @@ public static AuthorizationTaskExecutor create(
         ClusterService clusterService,
         PersistentTasksService persistentTasksService,
         FeatureService featureService,
+        CCMEnablementService ccmEnablementService,
+        CCMFeature ccmFeature,
         AuthorizationPoller.Parameters pollerParameters
     ) {
         super(TASK_NAME, pollerParameters.serviceComponents().threadPool().executor(UTILITY_THREAD_POOL_NAME));
         this.clusterService = Objects.requireNonNull(clusterService);
         this.featureService = Objects.requireNonNull(featureService);
         this.persistentTasksService = Objects.requireNonNull(persistentTasksService);
+        this.ccmEnablementService = Objects.requireNonNull(ccmEnablementService);
+        this.ccmFeature = Objects.requireNonNull(ccmFeature);
         this.pollerParameters = Objects.requireNonNull(pollerParameters);
     }
 
@@ -109,20 +120,10 @@ public static AuthorizationTaskExecutor create(
      * get an error indicating that it isn't aware of whether the task is a cluster scoped task.
      */
     public synchronized void startAndLazyCreateTask() {
-        startInternal(false);
+        startInternal();
     }
 
-    /**
-     * Starts the authorization task executor and creates the persistent task if it doesn't already exist. This should only be called from
-     * a context where the cluster state is already initialized. Don't call this from the plugin
-     * {@link org.elasticsearch.xpack.inference.InferencePlugin#createComponents(Plugin.PluginServices)}. Use
-     * {@link #startAndLazyCreateTask()} instead.
-     */
-    public synchronized void startAndImmediatelyCreateTask() {
-        startInternal(true);
-    }
-
-    private void startInternal(boolean createPersistentTask) {
+    private void startInternal() {
         var eisUrl = pollerParameters.elasticInferenceServiceSettings().getElasticInferenceServiceUrl();
 
         logger.info("Authorization task executor EIS URL: [{}]", eisUrl);
@@ -131,14 +132,14 @@ private void startInternal(boolean createPersistentTask) {
         if (Strings.isNullOrEmpty(eisUrl) == false && running.compareAndSet(false, true)) {
             logger.info("Starting authorization task executor");
 
-            if (createPersistentTask) {
-                sendStartRequest(clusterService.state());
-            }
-
             clusterService.addListener(this);
         }
     }
 
+    private void sendStartRequestWithCurrentClusterState() {
+        sendStartRequest(clusterService.state());
+    }
+
     private void sendStartRequest(@Nullable ClusterState state) {
         if (shouldSkipCreatingTask(state)) {
             return;
@@ -161,12 +162,21 @@ private void sendStartRequest(@Nullable ClusterState state) {
         );
     }
 
-    private boolean shouldSkipCreatingTask(@Nullable ClusterState state) {
+    // Default for testing
+    // TODO test this
+    boolean shouldSkipCreatingTask(@Nullable ClusterState state) {
         if (state == null) {
             return true;
         }
 
-        return clusterCanSupportFeature(state) == false || running.get() == false || authorizationTaskExists(state);
+        return clusterCanSupportFeature(state) == false
+            || running.get() == false
+            || authorizationTaskExists(state)
+            || ccmSupportedButNotYetConfigured();
+    }
+
+    private boolean ccmSupportedButNotYetConfigured() {
+        return ccmFeature.isCcmSupportedEnvironment() && ccmEnablementService.isEnabled(ProjectId.DEFAULT) == false;
     }
 
     private boolean clusterCanSupportFeature(@Nullable ClusterState state) {
@@ -185,31 +195,6 @@ private static boolean authorizationTaskExists(@Nullable ClusterState state) {
         return ClusterPersistentTasksCustomMetadata.getTaskWithId(state, TASK_NAME) != null;
     }
 
-    public synchronized void stop() {
-        if (running.compareAndSet(true, false)) {
-            logger.info("Shutting down authorization task executor");
-            clusterService.removeListener(this);
-
-            sendStopRequest();
-        }
-    }
-
-    private void sendStopRequest() {
-        persistentTasksService.sendClusterRemoveRequest(
-            TASK_NAME,
-            TimeValue.THIRTY_SECONDS,
-            ActionListener.wrap(
-                persistentTask -> logger.info("Stopped authorization poller task, id {}", persistentTask.getId()),
-                exception -> {
-                    var thrownException = exception instanceof RemoteTransportException ? exception.getCause() : exception;
-                    if (thrownException instanceof ResourceNotFoundException == false) {
-                        logger.error("Failed to stop authorization poller task", exception);
-                    }
-                }
-            )
-        );
-    }
-
     /**
      * This method should only be used for testing purposes to get the current running task.
      */
@@ -270,11 +255,6 @@ public static List<NamedWriteableRegistry.Entry> getNamedWriteables() {
         );
     }
 
-    /**
-     * This action is used to broadcast to all the nodes that the authorization task executor should start or stop.
-     * This is specifically useful for CCM, since whether to do the polling depends on the CCM
-     * configuration to exist first.
-     */
     public static class Action extends BroadcastMessageAction<Message> {
         public static final String NAME = "cluster:internal/xpack/inference/update_authorization_task";
         public static final ActionType<Response> INSTANCE = new ActionType<>(NAME);
@@ -295,9 +275,7 @@ public Action(
         @Override
         protected void receiveMessage(Message message) {
             if (message.enable()) {
-                authorizationTaskExecutor.startAndImmediatelyCreateTask();
-            } else {
-                authorizationTaskExecutor.stop();
+                authorizationTaskExecutor.sendStartRequestWithCurrentClusterState();
             }
         }
     }