Allow overlap of static and custom security configs, but prefer static (#5805)

Signed-off-by: Craig Perkins <[email protected]>

Author: cwperks

CHANGELOG.md

@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Changed
 - Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
+- Allow overlap of static and custom security configs, but prefer static ([#5805](https://github.com/opensearch-project/security/pull/5805))
+
 ### Features
 
 ### Enhancements

src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java

@@ -240,32 +240,9 @@ public void onChange(ConfigurationMap typeToConfig) {
         final AllowlistingSettings allowlist = cr.getConfiguration(CType.ALLOWLIST).getCEntry("config");
         final AuditConfig audit = cr.getConfiguration(CType.AUDIT).getCEntry("config");
 
-        if (roles.containsAny(staticRoles)) {
-            throw new StaticResourceException("Cannot override static roles");
-        }
-        if (!roles.add(staticRoles) && !staticRoles.getCEntries().isEmpty()) {
-            throw new StaticResourceException("Unable to load static roles");
-        }
-
-        log.debug("Static roles loaded ({})", staticRoles.getCEntries().size());
-
-        if (actionGroups.containsAny(staticActionGroups)) {
-            throw new StaticResourceException("Cannot override static action groups");
-        }
-        if (!actionGroups.add(staticActionGroups) && !staticActionGroups.getCEntries().isEmpty()) {
-            throw new StaticResourceException("Unable to load static action groups");
-        }
-
-        log.debug("Static action groups loaded ({})", staticActionGroups.getCEntries().size());
-
-        if (tenants.containsAny(staticTenants)) {
-            throw new StaticResourceException("Cannot override static tenants");
-        }
-        if (!tenants.add(staticTenants) && !staticTenants.getCEntries().isEmpty()) {
-            throw new StaticResourceException("Unable to load static tenants");
-        }
-
-        log.debug("Static tenants loaded ({})", staticTenants.getCEntries().size());
+        mergeStaticConfigWithWarning("roles", roles, staticRoles, log);
+        mergeStaticConfigWithWarning("action groups", actionGroups, staticActionGroups, log);
+        mergeStaticConfigWithWarning("tenants", tenants, staticTenants, log);
 
         log.debug(
             "Static configuration loaded (total roles: {}/total action groups: {}/total tenants: {})",
@@ -292,6 +269,44 @@ public void onChange(ConfigurationMap typeToConfig) {
         initialized.set(true);
     }
 
+    private static <T> void mergeStaticConfigWithWarning(
+        String typeName,
+        SecurityDynamicConfiguration<T> dynamicConfig,
+        SecurityDynamicConfiguration<T> staticConfig,
+        Logger log
+    ) {
+        if (staticConfig == null || staticConfig.isEmpty()) {
+            return;
+        }
+
+        // Find overlapping keys between dynamic and static configs
+        final Map<String, T> dynamicEntries = dynamicConfig.getCEntries();
+        final Map<String, T> staticEntries = staticConfig.getCEntries();
+
+        final java.util.List<String> overlaps = dynamicEntries.keySet().stream().filter(staticEntries::containsKey).sorted().toList();
+
+        if (!overlaps.isEmpty()) {
+            // Remove overlaps from the dynamic config so static definitions win
+            dynamicConfig.remove(overlaps);
+
+            log.warn(
+                "Detected overlap between dynamic {} configuration and static resources for entries: {}. "
+                    + "Dynamic definitions have been removed in favor of static configuration.",
+                typeName,
+                overlaps
+            );
+        }
+
+        // Now add static entries; if this fails, it's a real structural problem (version/type)
+        if (!dynamicConfig.add(staticConfig) && !staticConfig.getCEntries().isEmpty()) {
+            throw new StaticResourceException("Unable to load static " + typeName);
+        }
+
+        if (log.isDebugEnabled()) {
+            log.debug("Static {} loaded ({} entries)", typeName, staticConfig.getCEntries().size());
+        }
+    }
+
     private static ConfigV7 getConfigV7(SecurityDynamicConfiguration<?> sdc) {
         @SuppressWarnings("unchecked")
         SecurityDynamicConfiguration<ConfigV7> c = (SecurityDynamicConfiguration<ConfigV7>) sdc;