Add validation to inference update operation

[Jan-Kazlouski-elastic]

This PR fixes: #122356
Validation is added to Update action.

#137241 (comment) suggests 3 options for fixing this.

1. Converting the Model back to an UnparsedModel. Not implemented because Model fields are immutable and cannot be changed.
2. Run the updates on the various settings while they are still unparsed. Not implemented because in that case validation methods such as newSecretSettings and updateServiceSettings, updateTaskSettings are not called that when combining, so we'd have to create two parsed Models instead of one. Logic of dealing with maps proved to be very complex and risky.
3. Move combineExistingModelWithNewSettings into a more service specific location.

Third approach was implemented by combining of configs and secrets was separated into 2 methods that return ModelConfigurations and ModelSecrets respectively, by calling specially implemented methods. Based on those ModelConfigurations and ModelSecrets - by introducing new method for building a Model to InferenceService interface that uses provider specific constructors we're able to perform the validation using the updated Model that is going to be replacing the existing one.

• - Have you signed the contributor license agreement?
• - Have you followed the contributor guidelines?
• - If submitting code, have you built your formula locally prior to submission with gradle check?
• - If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed.
• - If submitting code, have you checked that your submission is for an OS and architecture that we support?
• - If you are submitting this code for a class then read our policy for that.

[elasticsearchmachine]

Pinging @elastic/search-inference-team (Team:Search - Inference)

[DonalEvans]

@Jan-Kazlouski-elastic Please could you add an appropriate changelog file at docs/changelog/140003.yaml? Thanks!

[DonalEvans]

There seems to be a lot of duplication of logic between the buildModelFromConfigAndSecrets() implementations and the existing logic in parseRequestConfig() for each service class. Would it be possible to extract the common code into methods that can be called from either buildModelFromConfigAndSecrets() or parseRequestConfig() ?

Also, there are no tests added in this PR, despite a lot of behaviour being changed. Could you please add unit tests for each of the buildModelFromConfigAndSecrets() implementations, and if possible, tests that cover the new behaviour in TransportUpdateInferenceModelAction, showing that attempting to update the model to be invalid causes an error and the model not to be updated, but updating to a valid model succeeds.

[DonalEvans]

For consistency with other services, there should be a check that the taskType passed in is supported here.

[Jan-Kazlouski-elastic]

Done.

[DonalEvans]

These casts to DefaultSecretSettings can be removed if the constructors for the Nvidia*Model classes are left as they were before this PR.

[Jan-Kazlouski-elastic]

Done.

[DonalEvans]

These casts to DefaultSecretSettings can be removed if the constructors for the OpenShift models are left as they were before this PR.

[Jan-Kazlouski-elastic]

Done.

[DonalEvans]

This would be a little more consistent as:

TaskSettings existingTaskSettings = existingConfigs.getTaskSettings();
ServiceSettings existingServiceSettings = existingConfigs.getServiceSettings();

TaskSettings newTaskSettings = existingTaskSettings;
ServiceSettings newServiceSettings = existingServiceSettings;

if (newSettings.serviceSettings() != null) {
    newServiceSettings = newServiceSettings.updateServiceSettings(newSettings.serviceSettings());
}
if (newSettings.taskSettings() != null && existingTaskSettings != null) {
    newTaskSettings = newTaskSettings.updatedTaskSettings(newSettings.taskSettings());
}

[Jan-Kazlouski-elastic]

Agreed. Done.

[Jan-Kazlouski-elastic]

@Jan-Kazlouski-elastic Please could you add an appropriate changelog file at docs/changelog/140003.yaml? Thanks!

Added.

[Jan-Kazlouski-elastic]

Apologies if they've been added and I've missed them, but we definitely need a test (possibly in InferenceCrudIT, but I could also see an argument for creating an update-specific test class) for the chunking settings being overwritten bug, and tests that confirm that we validate the model when doing an update, both successful and unsuccessful. I think it will be necessary to modify the Test*ServiceExtension classes to allow validation to fail, because right now as long as the task type is correct, inference calls always succeed on the test services.

Hello @DonalEvans @jonathan-buttner
PR has been updated with unit tests added in TransportUpdateInferenceModelActionTests and InferenceCrudIT and is ready for another round of review.
The validation failures in InferenceCrudIT are triggered by validation_should_fail boolean task setting.

[DonalEvans]

Great work expanding the unit test coverage for TransportUpdateInferenceModelAction!

[DonalEvans]

Nitpick, but this can be made a little more readable by changing it to:

if (((TestRerankingServiceExtension.TestTaskSettings) model.getTaskSettings()).shouldFailValidation()) {

since the TestRerankingServiceExtension version of TestTaskSettings.shouldFailValidation() returns a primitive boolean which can never be null.

[Jan-Kazlouski-elastic]

Good catch. Fixed.

[DonalEvans]

In addition to asserting that the validation call fails, these tests should also check that the model was not actually updated by getting the settings and confirming that they were not changed, since that's what we really care about here.

As a side note, I tried to copy what the testCRUD() method was doing to check the api_key setting (starting on line 102), but it seems like the test is flawed, because the map returned by getModels() does not contain an entry for "api_key", because we don't return the API key with the other service settings. That test also incorrectly compares the old API key value from the model with the local variable used to set the new API key, not the value returned from the model after updating it, which is why the test is able to pass despite the field not being present.

I don't think we actually have a way to confirm that the API key was updated, since there's no way to get the API key associated with an endpoint (as far as I know), so we'll have to confirm that the settings as a whole weren't updated instead, something like this:

putModel("sparse_embedding_model", mockSparseServiceModelConfig(), SPARSE_EMBEDDING);
var originalModel = getModel("sparse_embedding_model");
var e = expectThrows(
    ResponseException.class,
    () -> updateEndpoint("sparse_embedding_model", updateConfigWithFailedValidationFlag(SPARSE_EMBEDDING))
);
assertThat(e.getMessage(), containsString("validation call intentionally failed based on task settings"));
var modelAfterUpdate = getModel("sparse_embedding_model");
assertThat(modelAfterUpdate, is(originalModel));

[Jan-Kazlouski-elastic]

Added the proposed checks. Thank you.

[DonalEvans]

Just to avoid potential confusion, it would be better to explicitly pass false in here and on line 94, even though the tests pass with either value because no validation is performed.

[Jan-Kazlouski-elastic]

Done.

[DonalEvans]

This test could be made slightly stronger by asserting that the exception that gets thrown is the same instance, not that the message is the same instance:

var expectedException = new RuntimeException("Model not found");
mockGetModelWithSecretsToFailWithException(expectedException);

var listener = callMasterOperationWithActionFuture();

var exception = expectThrows(RuntimeException.class, () -> listener.actionGet(TimeValue.timeValueSeconds(5)));
assertThat(exception, sameInstance(expectedException));

[Jan-Kazlouski-elastic]

Sure. Done.

[DonalEvans]

Unless there's a specific reason to use a shorter timeout, we should be using ESTestCase.TEST_REQUEST_TIMEOUT instead of 5 seconds in these tests. Using too short a timeout runs the risk of flaky failures if the hardware the test runs on is slow or there's a big GC just at the wrong time or something.

[Jan-Kazlouski-elastic]

Sure. I just used the one that was there for this test file already. Replaced it with the common timeout value. Good catch.

[DonalEvans]

This test name doesn't match what the test is asserting, since the exception thrown is a RuntimeException, not an ElasticsearchStatusException

[Jan-Kazlouski-elastic]

Good catch. Improved the test with sameInstance assertion for the exception thrown.

[DonalEvans]

Is this verification necessary? We only really care that the configs aren't updated, not whether we call these getters, since getters should have no effect on anything.

There's quite a lot of unnecessary verifications in these tests, so I won't comment on every single one, but in general, verification should only check things that we expect to have an impact on behaviour/state, so methods with no side effects like getters don't need to be verified. In most of these tests, simply confirming that the state of the configurations matches what's expected is enough.

[Jan-Kazlouski-elastic]

Done.

[DonalEvans]

Other than the verification that we call updateServiceSettings() and updatedTaskSettings() (methods that affect the state of the objects they're called on), I don't think we need all this verification.

[Jan-Kazlouski-elastic]

Fair enough. Adding verification for all of the calls was an overkill. I left only updateServiceSettings, updatedTaskSettings and newSecretSettings ones + the ones that validate that no calls were registered when they are not expected.

[DonalEvans]

sameInstance() checks should be used when we want to confirm that some object is the same in-memory object as some other object. It's a stronger check than simply checking equality, because two objects can be equal but not the same instance. However, for things like Strings, enum values and some primitives, this check is not really appropriate, since two Strings with the same value will end up being converted to the same in-memory object in Java, so if the Strings are equal, they will necessarily also be the same instance.

For example, this test passes:

String aString = "value";
String anotherString = "value";
assertThat(aString, sameInstance(anotherString));

whereas this one fails, even though .equals() would return true when comparing the two lists:

var aList = List.of("value");
var anotherList = List.of("value");
assertThat(aList, sameInstance(anotherList));

[Jan-Kazlouski-elastic]

Yes, you are correct. That is the reason sameInstance check is used here for comparing whether or not checked variables are pointing towards the same object in the memory and not just equal to each other. It IS intentional.

if the Strings are equal, they will necessarily also be the same instance

I would disagree. For the strings there are cases when 2 strings while being equal to each other are not pointing towards the same object. Per example new String("value") would be equal but not the same as "value". Or in case of runtime concatenation:

String base = "va";
String s1 = "value";
String s2 = base + "lue";

assertThat(s1, sameInstance(s2)); // fails

Only usage of .intern() would make those variables point to the same object.

In these checks it is used to stay consistent with other checks because we DO expect same object to be used.
Do you want me to change it to is()? That wouldn't affect the result but would relax the checks. I wouldn't want to do that. The risk of meeting these cases when equals != same is minimal but not 0%. So I would keep it as is. Because in the logic - same String object is used. It just keeps things more understandable.

[DonalEvans]

For the strings there are cases when 2 strings while being equal to each other are not pointing towards the same object.

Very true! I'd forgotten about those cases, my statement was definitely too broad. I'm fine with leaving these assertions as they are, but I think that while sameInstance() is a stronger check, it's not always necessary to use it.

My philosophy with test assertions is that they should assert the expected behaviour rather than the implementation details, so while it's true that the String values are the same instance here, we don't actually care if they are or not, from a behaviour point of view. It's like using the InOrder interface from Mockito when doing verification; it's a stronger check to assert that methods are called in a particular order, but we only use that stronger check when it's really relevant to the behaviour of the method we're testing. If for some reason the implementation changed so that the String returned from resultModelConfigurations.getInferenceEntityId() was not the same instance as returned from model.getInferenceEntityId(), would we actually care? It would be a small inefficiency in the code, but probably not worth failing a test over.

All that being said, I'm fine with this as it is, it's just a personal preference in terms of testing.

[Jan-Kazlouski-elastic]

Perfectly understandable. In this particular case usage of the method that was used for other fields seemed OK, so let's keep it that way. Overall - very useful discussion. Thank you.

[DonalEvans]

Related to this comment, I don't think this is the behaviour we want in this scenario. If there are no existing secret settings and a user wants to add some (and, somehow, both those scenarios are valid for the service they're using) then I think we should either use the new secret settings instead of ignoring them, or return an error to let the user know that the update they tried to perform failed.

[Jan-Kazlouski-elastic]

The case described fits one of the issues discussed earlier in slack thread. I know that with 10k+ changed lines it might sound strange but I would want to a minimum the actual changes to the behavior. Right now the actual behavior changed in whether or not validation call to the provider is done and chunking settings are not lost anymore.

With understanding of your comment I would love to address it in a separate PR (for #140888 since it anyway will require changes to the logic of secret settings update) along with this test. Is that ok with you?

[DonalEvans]

Yeah, addressing this in another PR is absolutely fine

[Jan-Kazlouski-elastic]

Hello @DonalEvans! Thank you for your comments. All of them are addressed. Would you please give this PR another look?