Make crypto store settings immutable

[RajatGupta02]

Description

Opensearch-storage-encryption plugin introduces some index settings which should be immutable after index creation. This PR adds the validation to not allow these crypto settings update.

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• New Features

  • Enforces immutability of crypto-related store settings so sensitive store configuration cannot be altered after index creation.
  • Prevents invalid transitions of index store types involving encrypted store variants, rejecting attempts to switch to or from those types.

• Bug Fixes

  • Ensures settings updates validate crypto-store constraints and fail early for disallowed changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a validator that prevents changes to crypto-related index store settings (including switching to/from the cryptofs store type); integrates the validator into settings update flow and documents the change in the changelog.

Changes

Cohort / File(s)	Change Summary
Changelog CHANGELOG.md	Added an Unreleased 3.x entry documenting the new validation that makes crypto store settings immutable with a PR reference.
Crypto Store Validation server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java	Added public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) and invoked it from updateSettings(); rejects modifications to crypto-related settings and disallows changing index.store.type to or from cryptofs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review the new validation method for correctness and edge cases (multi-index updates, absent cluster metadata).
• Verify error messages and thrown exception types for clarity and consistency with existing validation.
• Ensure updateSettings() integration path triggers validation in all relevant update scenarios.

"I hopped through code at break of day,
Locked keys and types to keep mischief away,
A tiny guard in a quiet nest,
Keeping secrets snug and blessed,
Cheers to safe stores—now hop and play! 🥕🔐"

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change—making crypto store settings immutable—which matches the core functionality added in the PR.
Description check	✅ Passed	The description includes the required sections (Description, Check List) and explains the purpose, but is missing a 'Related Issues' section that should reference the issue being resolved.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f26f1c4 and 7b8ca93.

📒 Files selected for processing (1)

• server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: detect-breaking-change
• GitHub Check: Analyze (java)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (21, windows-latest)

🔇 Additional comments (1)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (1)

145-146: Crypto store validation is correctly wired into the update flow

Hooking validateCryptoStoreSettings right after normalization and other pre-submit validations ensures all index settings updates go through the new immutability checks without disturbing the later open/closed handling. This integration point looks good.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kumargu]

and vice versa? if you have cryptofs as store type it cannot be modified.

[kumargu]

this could be included in restrictedCryptoSettings.

[RajatGupta02]

yeah we should also prevent cryptofs -> non-cryptofs update. But it shouldn't be included in restrictedCryptoSettings as it will prevent prevent ALL store type changes for all indices.

[github-actions]

❌ Gradle check result for 65126b1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (3)

145-145: Consider moving crypto validation inside the execute() method for consistency.

The validation uses clusterService.state(), which gets the cluster state at submission time. However, validateSearchReplicaCountSettings (line 296) performs similar index-specific validation inside the execute() method using the execution-time currentState. Moving validateCryptoStoreSettings inside execute() would ensure validation against the authoritative state and maintain consistency with the pattern used for other index-specific validations.

While the bidirectional nature of the cryptofs checks (blocking both TO and FROM) provides inherent safety against race conditions, aligning with the existing pattern would be clearer.

---

594-608: LGTM! Clear validation logic for crypto setting immutability.

The validation correctly enforces that crypto settings cannot be modified after index creation. The straightforward check against indexSettings.keySet() is appropriate and efficient.

Optional improvements:

1. Extract the restricted settings array as a class-level constant for better maintainability:

+    private static final String[] RESTRICTED_CRYPTO_SETTINGS = {
+        "index.store.crypto.key_provider",
+        "index.store.crypto.kms.key_arn",
+        "index.store.crypto.kms.encryption_context"
+    };
+
     /**
-     * Validates crypto store settings are immutable after index creation.
+     * Validates that crypto-related store settings are immutable after index creation.
+     * Prevents updates to crypto configuration settings and validates store type changes
+     * to/from cryptofs are not permitted.
      */
     public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) {
-        final String[] restrictedCryptoSettings = {
-            "index.store.crypto.key_provider",
-            "index.store.crypto.kms.key_arn",
-            "index.store.crypto.kms.encryption_context" };
-
         // Crypto settings are completely immutable - reject any attempt to modify them
-        for (String settingKey : restrictedCryptoSettings) {
+        for (String settingKey : RESTRICTED_CRYPTO_SETTINGS) {

2. Enhanced JavaDoc provides clearer documentation of the method's purpose.

---

610-628: LGTM! Bidirectional cryptofs validation correctly implemented.

The logic properly prevents both changing TO cryptofs and changing FROM cryptofs, addressing the concern raised in past review comments. The approach of checking store type changes separately from the other crypto settings is appropriate, as it allows this validation to be granular (only affecting cryptofs) rather than blocking all store type changes.

Minor enhancement: The error messages could be more consistent in explaining the rationale:

                 // Prevent changing TO cryptofs
                 if ("cryptofs".equals(newStoreType) && !"cryptofs".equals(currentStoreType)) {
-                    throw new IllegalArgumentException("Cannot change store type to 'cryptofs' for index [" + index.getName() + "]");
+                    throw new IllegalArgumentException(
+                        "Cannot change store type to 'cryptofs' for index [" + index.getName() + "] - cryptofs store type is immutable"
+                    );
                 }

Based on past review comments, the decision to handle store type separately from restrictedCryptoSettings is correct, as including it there would prevent all store type changes for all indices.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65126b1 and 5cbc0c5.

📒 Files selected for processing (1)

• server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: Analyze (java)
• GitHub Check: detect-breaking-change

🔇 Additional comments (1)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (1)

594-629: Well-structured validation method that successfully enforces crypto setting immutability.

The implementation effectively achieves the PR objective by:

1. ✅ Preventing updates to crypto configuration settings (key_provider, kms.key_arn, kms.encryption_context)
2. ✅ Preventing store type changes to cryptofs from non-cryptofs
3. ✅ Preventing store type changes from cryptofs to non-cryptofs
4. ✅ Addressing the bidirectional requirement mentioned in past review comments

The validation logic is sound and the error messages are informative.

[kumargu]

cc @cwperks , could you please review?

[github-actions]

✅ Gradle check result for 5cbc0c5: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 23.07692% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.25%. Comparing base (97d3864) to head (7b8ca93).
⚠️ Report is 21 commits behind head on main.

Files with missing lines	Patch %	Lines
...luster/metadata/MetadataUpdateSettingsService.java	23.07%	9 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20123      +/-   ##
============================================
- Coverage     73.33%   73.25%   -0.09%     
+ Complexity    71679    71633      -46     
============================================
  Files          5790     5786       -4     
  Lines        327549   327767     +218     
  Branches      47181    47210      +29     
============================================
- Hits         240217   240095     -122     
- Misses        68080    68421     +341     
+ Partials      19252    19251       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cwperks]

I think this can be done through properties like Property.Filtered or Property.InternalIndex

See https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/common/settings/Setting.java#L160-L164

The last param in https://github.com/opensearch-project/OpenSearch/blob/main/plugins/crypto-kms/src/main/java/org/opensearch/crypto/kms/KmsService.java#L53 is a vararg list of properties.

[RajatGupta02]

Oh, yes, this is neat, didn't know about this, thanks!

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cbc0c5 and f26f1c4.

📒 Files selected for processing (1)

• server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: gradle-check
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: Analyze (java)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: detect-breaking-change

🔇 Additional comments (1)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (1)

145-145: Wiring the crypto store validator into updateSettings looks good

Calling validateCryptoStoreSettings alongside the other top-level validators (before building open/closed settings and submitting the cluster state update task) is consistent with the existing pattern and ensures invalid store-type transitions are rejected early.

[github-actions]

✅ Gradle check result for 7b8ca93: SUCCESS

[cwperks]

@RajatGupta02 would it make sense to add any tests here? Is cryptofs defined in the core or is that only available when ILE plugin is installed? If its only available when ILE is installed I wonder if we can somehow enforce within ILE. I know there are extension points to listen to cluster settings updates and I imagine index settings update have a similar listener to hook into.

The changes in the PR itself look fine to me.

[RajatGupta02]

@RajatGupta02 would it make sense to add any tests here? Is cryptofs defined in the core or is that only available when ILE plugin is installed? If its only available when ILE is installed I wonder if we can somehow enforce within ILE. I know there are extension points to listen to cluster settings updates and I imagine index settings update have a similar listener to hook into.

Yeah, its available only when ILE is installed.