Skip to content

Fix NPE on null user in RP code path #4421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix NPE on null user in RP code path #4421

wants to merge 2 commits into from
+67 −2

Conversation

@DarshitChanpura
Copy link
Member

@DarshitChanpura DarshitChanpura commented Nov 14, 2025
edited
Loading

Description

Resolves NPE thrown when user is null and RP code path is executed:

[2025-11-12T20:39:52,966][WARN ][r.suppressed             ][15e5649158172924e763e324589e0541] path: /_plugins/_ml/models/_register, params: {}
java.lang.NullPointerException: Cannot invoke "org.opensearch.commons.authuser.User.getName()" because "user" is null
    at org.opensearch.ml.helper.ModelAccessControlHelper.lambda$validateModelGroupAccess$4(ModelAccessControlHelper.java:184)
    at org.opensearch.core.action.ActionListener$1.onResponse(ActionListener.java:82)
    at org.opensearch.security.resources.ResourceAccessHandler.lambda$hasPermission$0(ResourceAccessHandler.java:185)
    at org.opensearch.core.action.ActionListener$1.onResponse(ActionListener.java:82)
    at org.opensearch.security.resources.ResourceSharingIndexHandler.lambda$fetchSharingInfo$24(ResourceSharingIndexHandler.java:579)
    at org.opensearch.core.action.ActionListener$1.onResponse(ActionListener.java:82)
    at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:115)
    at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:109)
    at org.opensearch.action.support.single.shard.TransportSingleShardAction$AsyncSingleAction$2.handleResponse(TransportSingleShardAction.java:298)
    at org.opensearch.action.support.single.shard.TransportSingleShardAction$AsyncSingleAction$2.handleResponse(TransportSingleShardAction.java:284)
    at org.opensearch.security.transport.SecurityInterceptor$RestoringTransportResponseHandler.handleResponse(SecurityInterceptor.java:430)
    at org.opensearch.transport.TransportService$ContextRestoreResponseHandler.handleResponse(TransportService.java:1587)
    at org.opensearch.transport.TransportService$DirectResponseChannel.processResponse(TransportService.java:1680)
    at org.opensearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:1660)
    at org.opensearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:72)
    at org.opensearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:62)
    at org.opensearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:45)
    at org.opensearch.action.ActionRunnable.lambda$supply$0(ActionRunnable.java:74)
    at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:89)
    at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:984)
    at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1583)

We are updating migrate API such that all resources with no owners will now have a "default_owner" to be supplied upon calling migrate API.
(opensearch-project/security#5789)

These resources will not have public access by default. Instead will have to be shared publicly.

Related Issues

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@DarshitChanpura
Fix NPE on null user in RP code path
c688d82 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura temporarily deployed to ml-commons-cicd-env-require-approval November 14, 2025 01:05 — with GitHub Actions Inactive
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval November 14, 2025 01:05 — with GitHub Actions Failure
@DarshitChanpura DarshitChanpura had a problem deploying to ml-commons-cicd-env-require-approval November 14, 2025 01:05 — with GitHub Actions Error
@DarshitChanpura DarshitChanpura deployed to ml-commons-cicd-env-require-approval November 14, 2025 01:05 — with GitHub Actions Active
brianf-aws
brianf-aws approved these changes Nov 14, 2025
View reviewed changes
Copy link
Contributor

@brianf-aws brianf-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for providing the fix! Do we need any backport labels?

Lets also monitor the CI.

ylwu-amzn
ylwu-amzn reviewed Nov 14, 2025
View reviewed changes
plugin/src/main/java/org/opensearch/ml/helper/ModelAccessControlHelper.java
new OpenSearchStatusException(
"User "
+ user.getName()
+ (user == null ? null : user.getName())
Copy link
Collaborator

@ylwu-amzn ylwu-amzn Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If user is null and model group is public, does the user have access or not ?

Copy link
Member Author

@DarshitChanpura DarshitChanpura Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no.. null users are not granted access..

if you are talking from anonymous user login perspective then yes since anonymous users can access resource in two ways:

  1. Resource is shared with anonymous user or backend role (https://github.com/opensearch-project/security/blob/9e6047f99da4df3404e2d52f3afe4e49e508c3a5/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L480)
  2. Resource is marked as public by following the new convention (https://github.com/opensearch-project/security/blob/main/RESOURCE_SHARING_AND_ACCESS_CONTROL.md#example-publicly-shared-resource)

@DarshitChanpura DarshitChanpura requested a deployment to ml-commons-cicd-env-require-approval November 19, 2025 19:48 — with GitHub Actions Waiting
@DarshitChanpura DarshitChanpura requested a deployment to ml-commons-cicd-env-require-approval November 19, 2025 19:48 — with GitHub Actions Waiting
@DarshitChanpura DarshitChanpura requested a deployment to ml-commons-cicd-env-require-approval November 19, 2025 19:48 — with GitHub Actions Waiting
@DarshitChanpura DarshitChanpura requested a deployment to ml-commons-cicd-env-require-approval November 19, 2025 19:48 — with GitHub Actions Waiting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ylwu-amzn ylwu-amzn ylwu-amzn left review comments

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@dhrubo-os dhrubo-os Awaiting requested review from dhrubo-os dhrubo-os is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@sam-herman sam-herman Awaiting requested review from sam-herman sam-herman is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

@pyek-bot pyek-bot Awaiting requested review from pyek-bot pyek-bot is a code owner

+1 more reviewer

@brianf-aws brianf-aws brianf-aws approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport 3.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DarshitChanpura @ylwu-amzn @brianf-aws