Adds capability to automatically switch to old access-control if model-group is excluded from protected resources setting

[DarshitChanpura]

Depends on: opensearch-project/security#5677

Description

Adds capability to automatically switch to old access-control if model-group is excluded from protected resources setting.

For more details to enable/disable cluster setting, refer this guide:
https://github.com/opensearch-project/security/blob/main/RESOURCE_SHARING_AND_ACCESS_CONTROL.md#part-2-cluster-admin-and-user-guide

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[DarshitChanpura]

blocked by:
#4279

[DarshitChanpura]

Unable to reproduce the tests failures locally:

Tests with failures:
 - org.opensearch.ml.action.model_group.DeleteModelGroupTransportActionTests.test_ValidationFailedException
 - org.opensearch.ml.action.model_group.TransportUpdateModelGroupActionTests.test_UserSpecifiedRestrictedButNoBackendRolesField
 - org.opensearch.ml.action.model_group.TransportUpdateModelGroupActionTests.test_NoAccessUserUpdatingModelGroupException

[DarshitChanpura]

Found the root cause:
Since ResourceSharingClientAccessor is static and I added tests here that changes the value inside those tests it caused flaky-ness; as tests are run inside same jvm and if the last test that ran left the accessor assigned to some value, next test that didn't expect it would fail.

./gradlew :opensearch-ml-plugin:test                                                                                    
=======================================
OpenSearch Build Hamster says Hello!
  Gradle Version        : 8.14.3
  OS Info               : Mac OS X 15.7.1 (aarch64)
  JDK Version           : 21 (Eclipse Temurin JDK)
  JAVA_HOME             : /Users/dchanp/.sdkman/candidates/java/21.0.4-tem
  Random Testing Seed   : FE9A768CB2E8A43F
  Crypto Standard       : any-supported
=======================================

> Task :opensearch-ml-plugin:compileTestJava
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

...

BUILD SUCCESSFUL in 54s
27 actionable tasks: 2 executed, 25 up-to-date

[DarshitChanpura]

integTest failure:

Tests with failures:
 - org.opensearch.ml.rest.RestMLRAGSearchProcessorIT.testBM25WithCohere

not related to this PR.

Seems flaky as well since it passed on another run:
https://github.com/opensearch-project/ml-commons/actions/runs/18600818784/job/53038758361?pr=4244

[dhrubo-os]

Overall looks good. Can you please update your PR description with more details like how customer will disable this resource? This will help to understand better the end to end flow.

[DarshitChanpura]

Overall looks good. Can you please update your PR description with more details like how customer will disable this resource? This will help to understand better the end to end flow.

done.

[codecov]

Codecov Report

❌ Patch coverage is 64.28571% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.18%. Comparing base (f5510c9) to head (1f72bc2).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...opensearch/ml/helper/ModelAccessControlHelper.java	33.33%	2 Missing and 2 partials ⚠️
.../opensearch/ml/action/handler/MLSearchHandler.java	66.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #4244      +/-   ##
============================================
+ Coverage     80.11%   80.18%   +0.06%     
- Complexity    10160    10180      +20     
============================================
  Files           854      854              
  Lines         44219    44221       +2     
  Branches       5113     5114       +1     
============================================
+ Hits          35428    35459      +31     
+ Misses         6639     6617      -22     
+ Partials       2152     2145       -7     

Flag	Coverage Δ
ml-commons	80.18% <64.28%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.