Make crypto store settings immutable

Signed-off-by: Rajat Gupta <[email protected]>

Author: Rajat Gupta

CHANGELOG.md

@@ -33,7 +33,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Allow the truncate filter in normalizers ([#19778](https://github.com/opensearch-project/OpenSearch/issues/19778))
 - Support pull-based ingestion message mappers and raw payload support ([#19765](https://github.com/opensearch-project/OpenSearch/pull/19765))
 - Support dynamic consumer configuration update in pull-based ingestion ([#19963](https://github.com/opensearch-project/OpenSearch/pull/19963))
-
+- Add validation to make crypto store settings immutable ([#20123](https://github.com/opensearch-project/OpenSearch/pull/20123))
 ### Changed
 - Faster `terms` query creation for `keyword` field with index and docValues enabled ([#19350](https://github.com/opensearch-project/OpenSearch/pull/19350))
 - Refactor to move prepareIndex and prepareDelete methods to Engine class ([#19551](https://github.com/opensearch-project/OpenSearch/pull/19551))

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java

@@ -142,6 +142,7 @@ public void updateSettings(
         validateRefreshIntervalSettings(normalizedSettings, clusterService.getClusterSettings());
         validateTranslogDurabilitySettings(normalizedSettings, clusterService.getClusterSettings(), clusterService.getSettings());
         validateIndexTotalPrimaryShardsPerNodeSetting(normalizedSettings, clusterService);
+        validateCryptoStoreSettings(normalizedSettings, request.indices(), clusterService.state());
         final int defaultReplicaCount = clusterService.getClusterSettings().get(Metadata.DEFAULT_REPLICA_COUNT_SETTING);
 
         Settings.Builder settingsForClosedIndices = Settings.builder();
@@ -589,4 +590,32 @@ public static void validateIndexTotalPrimaryShardsPerNodeSetting(Settings indexS
             );
         }
     }
+
+    /**
+     * Validates crypto store settings are immutable after index creation.
+     */
+    public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) {
+        final String[] restrictedCryptoSettings = {
+            "index.store.crypto.key_provider",
+            "index.store.crypto.kms.key_arn",
+            "index.store.crypto.kms.encryption_context" };
+
+        // Crypto settings are completely immutable - reject any attempt to modify them
+        for (String settingKey : restrictedCryptoSettings) {
+            if (indexSettings.keySet().contains(settingKey)) {
+                throw new IllegalArgumentException("Cannot update [" + settingKey + "] - crypto settings are immutable");
+            }
+        }
+
+        // Validate store type changes
+        String newStoreType = indexSettings.get("index.store.type");
+        if ("cryptofs".equals(newStoreType)) {
+            for (Index index : indices) {
+                String currentStoreType = clusterState.metadata().getIndexSafe(index).getSettings().get("index.store.type", "");
+                if (!"cryptofs".equals(currentStoreType)) {
+                    throw new IllegalArgumentException("Cannot change store type to 'cryptofs' for index [" + index.getName() + "]");
+                }
+            }
+        }
+    }
 }