Skip to content

Make crypto store settings immutable #20123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RajatGupta02 wants to merge 5 commits into
base: main
Choose a base branch
from
+31 −0
Open

Make crypto store settings immutable #20123

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
65126b1
Make crypto store settings immutable
Nov 29, 2025
5cbc0c5
Add reverse validation
Nov 29, 2025
f26f1c4
Handle restricted settings within plugin code
Dec 2, 2025
7b8ca93
Fix null bypass
Dec 2, 2025
c9d2bb9
Merge branch 'main' into ile_disallow_settings_update
RajatGupta02 Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Allow the truncate filter in normalizers ([#19778](https://github.com/opensearch-project/OpenSearch/issues/19778))
- Support pull-based ingestion message mappers and raw payload support ([#19765](https://github.com/opensearch-project/OpenSearch/pull/19765))
- Support dynamic consumer configuration update in pull-based ingestion ([#19963](https://github.com/opensearch-project/OpenSearch/pull/19963))

- Add validation to make crypto store settings immutable ([#20123](https://github.com/opensearch-project/OpenSearch/pull/20123))
### Changed
- Faster `terms` query creation for `keyword` field with index and docValues enabled ([#19350](https://github.com/opensearch-project/OpenSearch/pull/19350))
- Refactor to move prepareIndex and prepareDelete methods to Engine class ([#19551](https://github.com/opensearch-project/OpenSearch/pull/19551))
Expand Down
29 changes: 29 additions & 0 deletions server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ public void updateSettings(
validateRefreshIntervalSettings(normalizedSettings, clusterService.getClusterSettings());
validateTranslogDurabilitySettings(normalizedSettings, clusterService.getClusterSettings(), clusterService.getSettings());
validateIndexTotalPrimaryShardsPerNodeSetting(normalizedSettings, clusterService);
validateCryptoStoreSettings(normalizedSettings, request.indices(), clusterService.state());
final int defaultReplicaCount = clusterService.getClusterSettings().get(Metadata.DEFAULT_REPLICA_COUNT_SETTING);

Settings.Builder settingsForClosedIndices = Settings.builder();
Expand Down Expand Up @@ -589,4 +590,32 @@ public static void validateIndexTotalPrimaryShardsPerNodeSetting(Settings indexS
);
}
}

/**
* Validates crypto store settings are immutable after index creation.
*/
public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) {
final String[] restrictedCryptoSettings = {
"index.store.crypto.key_provider",
"index.store.crypto.kms.key_arn",
"index.store.crypto.kms.encryption_context" };
Copy link
Member

@cwperks cwperks Dec 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be done through properties like Property.Filtered or Property.InternalIndex

See https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/common/settings/Setting.java#L160-L164

The last param in https://github.com/opensearch-project/OpenSearch/blob/main/plugins/crypto-kms/src/main/java/org/opensearch/crypto/kms/KmsService.java#L53 is a vararg list of properties.

Copy link
Contributor Author

@RajatGupta02 RajatGupta02 Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, yes, this is neat, didn't know about this, thanks!


// Crypto settings are completely immutable - reject any attempt to modify them
for (String settingKey : restrictedCryptoSettings) {
if (indexSettings.keySet().contains(settingKey)) {
throw new IllegalArgumentException("Cannot update [" + settingKey + "] - crypto settings are immutable");
}
}

// Validate store type changes
String newStoreType = indexSettings.get("index.store.type");
if ("cryptofs".equals(newStoreType)) {
Copy link
Contributor

@kumargu kumargu Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and vice versa? if you have cryptofs as store type it cannot be modified.

Copy link
Contributor

@kumargu kumargu Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could be included in restrictedCryptoSettings.

Copy link
Contributor Author

@RajatGupta02 RajatGupta02 Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah we should also prevent cryptofs -> non-cryptofs update. But it shouldn't be included in restrictedCryptoSettings as it will prevent prevent ALL store type changes for all indices.

for (Index index : indices) {
String currentStoreType = clusterState.metadata().getIndexSafe(index).getSettings().get("index.store.type", "");
if (!"cryptofs".equals(currentStoreType)) {
throw new IllegalArgumentException("Cannot change store type to 'cryptofs' for index [" + index.getName() + "]");
}
}
}
}
}
Loading