Skipping auth call if ccm is not configured

Author: jonathan-buttner

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/InferencePlugin.java

@@ -487,7 +487,9 @@ private CCMRelatedComponents createCCMDependentComponents(
         var authorizationHandler = new ElasticInferenceServiceAuthorizationRequestHandler(
             inferenceServiceSettings.getElasticInferenceServiceUrl(),
             services.threadPool(),
-            ccmAuthApplierFactory
+            ccmAuthApplierFactory,
+            ccmFeature,
+            ccmService
         );
 
         var authTaskExecutor = AuthorizationTaskExecutor.create(

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/action/TransportGetInferenceServicesAction.java

@@ -158,7 +158,7 @@ private void getEisAuthorization(ActionListener<ElasticInferenceServiceAuthoriza
             delegate.onResponse(ElasticInferenceServiceAuthorizationModel.unauthorized());
         });
 
-        eisAuthorizationRequestHandler.getAuthorization(disabledServiceListener, sender);
+        eisAuthorizationRequestHandler.getAuthorizationSkippingIfCcmNotConfigured(disabledServiceListener, sender);
     }
 
     private List<InferenceServiceConfiguration> getServiceConfigurationsForServices(

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/action/TransportPutCCMConfigurationAction.java

@@ -112,7 +112,9 @@ protected void masterOperation(
             var authRequestHandler = new ElasticInferenceServiceAuthorizationRequestHandler(
                 eisSettings.getElasticInferenceServiceUrl(),
                 threadPool,
-                new ValidationAuthenticationFactory(request.getApiKey())
+                new ValidationAuthenticationFactory(request.getApiKey()),
+                ccmFeature,
+                ccmService
             );
 
             var errorListener = authValidationListener.delegateResponse((delegate, exception) -> {

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/elastic/authorization/ElasticInferenceServiceAuthorizationRequestHandler.java

@@ -23,6 +23,8 @@
 import org.elasticsearch.xpack.inference.external.http.sender.Sender;
 import org.elasticsearch.xpack.inference.services.elastic.ElasticInferenceServiceResponseHandler;
 import org.elasticsearch.xpack.inference.services.elastic.ccm.AuthenticationFactory;
+import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMFeature;
+import org.elasticsearch.xpack.inference.services.elastic.ccm.CCMService;
 import org.elasticsearch.xpack.inference.services.elastic.request.ElasticInferenceServiceAuthorizationRequest;
 import org.elasticsearch.xpack.inference.services.elastic.response.ElasticInferenceServiceAuthorizationResponseEntity;
 import org.elasticsearch.xpack.inference.telemetry.TraceContext;
@@ -56,17 +58,23 @@ private static ResponseHandler createAuthResponseHandler() {
     private final Logger logger;
     private final CountDownLatch requestCompleteLatch = new CountDownLatch(1);
     private final AuthenticationFactory authFactory;
+    private final CCMFeature ccmFeature;
+    private final CCMService ccmService;
 
     public ElasticInferenceServiceAuthorizationRequestHandler(
         @Nullable String baseUrl,
         ThreadPool threadPool,
-        AuthenticationFactory authFactory
+        AuthenticationFactory authFactory,
+        CCMFeature ccmFeature,
+        CCMService ccmService
     ) {
         this(
             baseUrl,
             Objects.requireNonNull(threadPool),
             LogManager.getLogger(ElasticInferenceServiceAuthorizationRequestHandler.class),
-            authFactory
+            authFactory,
+            ccmFeature,
+            ccmService
         );
     }
 
@@ -75,12 +83,16 @@ public ElasticInferenceServiceAuthorizationRequestHandler(
         @Nullable String baseUrl,
         ThreadPool threadPool,
         Logger logger,
-        AuthenticationFactory authFactory
+        AuthenticationFactory authFactory,
+        CCMFeature ccmFeature,
+        CCMService ccmService
     ) {
         this.baseUrl = baseUrl;
         this.threadPool = Objects.requireNonNull(threadPool);
         this.logger = Objects.requireNonNull(logger);
         this.authFactory = Objects.requireNonNull(authFactory);
+        this.ccmFeature = Objects.requireNonNull(ccmFeature);
+        this.ccmService = Objects.requireNonNull(ccmService);
     }
 
     /**
@@ -89,57 +101,98 @@ public ElasticInferenceServiceAuthorizationRequestHandler(
      * @param sender a {@link Sender} for making the request to the Elastic Inference Service
      */
     public void getAuthorization(ActionListener<ElasticInferenceServiceAuthorizationModel> listener, Sender sender) {
-        try {
-            logger.debug("Retrieving authorization information from the Elastic Inference Service.");
+        getAuthorizationHelper(listener, sender, false);
+    }
+
+    /**
+     * Skips retrieving the authorization information from Elastic Inference Service if CCM is not configured,
+     * and it is a supported environment, a supported environment would be on-prem or ECK. ECH and serverless are not supported
+     * environments for CCM (because they can already connect to EIS). For environments where CCM is not supported, it will always
+     * attempt to retrieve the authorization information.
+     * @param listener a listener to receive the response
+     * @param sender a {@link Sender} for making the request to the Elastic Inference Service
+     */
+    public void getAuthorizationSkippingIfCcmNotConfigured(
+        ActionListener<ElasticInferenceServiceAuthorizationModel> listener,
+        Sender sender
+    ) {
+        getAuthorizationHelper(listener, sender, true);
+    }
 
-            if (Strings.isNullOrEmpty(baseUrl)) {
-                logger.debug("The base URL for the authorization service is not valid, rejecting authorization.");
-                listener.onResponse(ElasticInferenceServiceAuthorizationModel.unauthorized());
+    private void getAuthorizationHelper(
+        ActionListener<ElasticInferenceServiceAuthorizationModel> listener,
+        Sender sender,
+        boolean skipIfCcmNotConfigured
+    ) {
+        var countdownListener = ActionListener.runAfter(listener, requestCompleteLatch::countDown);
+
+        try {
+            if (skipIfCcmNotConfigured == false || ccmFeature.isCcmSupportedEnvironment() == false) {
+                retrieveAuthorizationInformation(countdownListener, sender);
                 return;
             }
 
-            var handleFailuresListener = listener.delegateResponse((authModelListener, e) -> {
-                // unwrap because it's likely a retry exception
-                var exception = ExceptionsHelper.unwrapCause(e);
-
-                logger.warn(Strings.format(FAILED_TO_RETRIEVE_MESSAGE + " Encountered an exception: %s", exception), exception);
-                authModelListener.onFailure(e);
+            var isCcmEnabledListener = ActionListener.<Boolean>wrap(response -> {
+                if (response == null || response == false) {
+                    logger.debug("CCM is not configured, skipping authorization request to Elastic Inference Service.");
+                    countdownListener.onResponse(ElasticInferenceServiceAuthorizationModel.unauthorized());
+                } else {
+                    retrieveAuthorizationInformation(countdownListener, sender);
+                }
+            }, e -> {
+                logger.atDebug().withThrowable(e).log("Failed to determine if CCM is configured, returning unauthorized.");
+                countdownListener.onResponse(ElasticInferenceServiceAuthorizationModel.unauthorized());
             });
 
-            SubscribableListener.newForked(sender::startAsynchronously)
-                .andThen(authFactory::getAuthenticationApplier)
-                .<InferenceServiceResults>andThen((authListener, authApplier) -> {
-                    var requestMetadata = extractRequestMetadataFromThreadContext(threadPool.getThreadContext());
-                    var request = new ElasticInferenceServiceAuthorizationRequest(
-                        baseUrl,
-                        getCurrentTraceInfo(),
-                        requestMetadata,
-                        authApplier
-                    );
-                    sender.sendWithoutQueuing(logger, request, AUTH_RESPONSE_HANDLER, DEFAULT_AUTH_TIMEOUT, authListener);
-                })
-                .andThenApply(authResult -> {
-                    if (authResult instanceof ElasticInferenceServiceAuthorizationResponseEntity authResponseEntity) {
-                        logger.debug(() -> Strings.format("Received authorization information from gateway %s", authResponseEntity));
-                        return ElasticInferenceServiceAuthorizationModel.of(authResponseEntity, baseUrl);
-                    }
-
-                    var errorMessage = Strings.format(
-                        "%s Received an invalid response type from the Elastic Inference Service: %s",
-                        FAILED_TO_RETRIEVE_MESSAGE,
-                        authResult.getClass().getSimpleName()
-                    );
-
-                    logger.warn(errorMessage);
-                    throw new ElasticsearchException(errorMessage);
-                })
-                .addListener(ActionListener.runAfter(handleFailuresListener, requestCompleteLatch::countDown));
+            ccmService.isEnabled(isCcmEnabledListener);
         } catch (Exception e) {
             logger.warn(Strings.format("Retrieving the authorization information encountered an exception: %s", e));
-            requestCompleteLatch.countDown();
+            countdownListener.onFailure(e);
         }
     }
 
+    private void retrieveAuthorizationInformation(ActionListener<ElasticInferenceServiceAuthorizationModel> listener, Sender sender) {
+        logger.debug("Retrieving authorization information from the Elastic Inference Service.");
+
+        if (Strings.isNullOrEmpty(baseUrl)) {
+            logger.debug("The base URL for the authorization service is not valid, rejecting authorization.");
+            listener.onResponse(ElasticInferenceServiceAuthorizationModel.unauthorized());
+            return;
+        }
+
+        var handleFailuresListener = listener.delegateResponse((authModelListener, e) -> {
+            // unwrap because it's likely a retry exception
+            var exception = ExceptionsHelper.unwrapCause(e);
+
+            logger.warn(Strings.format(FAILED_TO_RETRIEVE_MESSAGE + " Encountered an exception: %s", exception), exception);
+            authModelListener.onFailure(e);
+        });
+
+        SubscribableListener.newForked(sender::startAsynchronously)
+            .andThen(authFactory::getAuthenticationApplier)
+            .<InferenceServiceResults>andThen((authListener, authApplier) -> {
+                var requestMetadata = extractRequestMetadataFromThreadContext(threadPool.getThreadContext());
+                var request = new ElasticInferenceServiceAuthorizationRequest(baseUrl, getCurrentTraceInfo(), requestMetadata, authApplier);
+                sender.sendWithoutQueuing(logger, request, AUTH_RESPONSE_HANDLER, DEFAULT_AUTH_TIMEOUT, authListener);
+            })
+            .andThenApply(authResult -> {
+                if (authResult instanceof ElasticInferenceServiceAuthorizationResponseEntity authResponseEntity) {
+                    logger.debug(() -> Strings.format("Received authorization information from gateway %s", authResponseEntity));
+                    return ElasticInferenceServiceAuthorizationModel.of(authResponseEntity, baseUrl);
+                }
+
+                var errorMessage = Strings.format(
+                    "%s Received an invalid response type from the Elastic Inference Service: %s",
+                    FAILED_TO_RETRIEVE_MESSAGE,
+                    authResult.getClass().getSimpleName()
+                );
+
+                logger.warn(errorMessage);
+                throw new ElasticsearchException(errorMessage);
+            })
+            .addListener(handleFailuresListener);
+    }
+
     private TraceContext getCurrentTraceInfo() {
         var traceParent = threadPool.getThreadContext().getHeader(Task.TRACE_PARENT_HTTP_HEADER);
         var traceState = threadPool.getThreadContext().getHeader(Task.TRACE_STATE);