This version of the OpenSearch documentation is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

ML extensibility

Machine learning (ML) extensibility enables ML developers to create integrations with other ML services, such as Amazon SageMaker or OpenAI. These integrations provide system administrators and data scientists the ability to run ML workloads outside of their OpenSearch cluster.

To get started with ML extensibility, choose from the following options:

Prerequisites

If you’re an admin deploying an ML connector, make sure that the target model of the connector has already been deployed on your chosen platform. Furthermore, make sure that you have permissions to send and receive data to the third-party API for your connector.

When access control is enabled on your third-party platform, you can enter your security settings using the authorization or credential settings inside the connector API.

Adding trusted endpoints

To configure connectors in OpenSearch, add the trusted endpoints to your cluster settings using the plugins.ml_commons.trusted_connector_endpoints_regex setting, which supports Java regex expressions, as shown in the following example:

  1. PUT /_cluster/settings
  2. {
  3. "persistent": {
  4. "plugins.ml_commons.trusted_connector_endpoints_regex": [
  5. "^https://runtime\\.sagemaker\\..*[a-z0-9-]\\.amazonaws\\.com/.*$",
  6. "^https://api\\.openai\\.com/.*$",
  7. "^https://api\\.cohere\\.ai/.*$"
  8. ]
  9. }
  10. }

copy

Setting up connector access control

If you plan on using a remote connector, make sure to use an OpenSearch cluster with the Security plugin enabled. Using the Security plugin gives you access to connector access control, which is required when using a remote connector.

If you require granular access control for your connectors, use the following cluster setting:

  1. PUT /_cluster/settings
  2. {
  3. "persistent": {
  4. "plugins.ml_commons.connector_access_control_enabled": true
  5. }
  6. }

copy

When access control is enabled, you can install the Security plugin. This makes the backend_roles, add_all_backend_roles, or access_model options required in order to use the connector API. If successful, OpenSearch returns the following response:

  1. {
  2. "acknowledged": true,
  3. "persistent": {
  4. "plugins": {
  5. "ml_commons": {
  6. "connector_access_control_enabled": "true"
  7. }
  8. }
  9. },
  10. "transient": {}
  11. }

Node settings

Remote models based on external connectors consume fewer resources. Therefore, you can deploy any model from a standalone connector using data nodes. To make sure that your standalone connection uses data nodes, set plugins.ml_commons.only_run_on_ml_node to false, as shown in the following example:

  1. PUT /_cluster/settings
  2. {
  3. "persistent": {
  4. "plugins.ml_commons.only_run_on_ml_node": false
  5. }
  6. }

copy

Next steps