Make crypto store settings immutable

[RajatGupta02]

Description

Opensearch-storage-encryption plugin introduces some index settings which should be immutable after index creation. This PR adds the validation to not allow these crypto settings update.

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• New Features
  • Enforces immutability of crypto-related store settings so sensitive configuration cannot be altered after creation.
  • Prevents invalid transitions of the index store type involving encrypted store variants, rejecting attempts to switch to or from those types.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds validation to prevent changes to crypto-related index.store settings and to forbid switching to or from the cryptofs store type; introduces validateCryptoStoreSettings() and calls it during settings updates, and documents the change in the changelog.

Changes

Cohort / File(s)	Change Summary
Documentation Update CHANGELOG.md	Added an Unreleased 3.x entry documenting the new validation that makes crypto store settings immutable with PR reference.
Crypto Store Validation server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java	Added public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) that rejects modifications to index.store.crypto.key_provider, index.store.crypto.kms.key_arn, and index.store.crypto.kms.encryption_context, and disallows changing index.store.type to or from cryptofs. Integrated a call to this validator into updateSettings().

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review new validation logic and error messages in MetadataUpdateSettingsService.
• Verify correct indices and cluster state usage, and ensure no false positives for multi-index updates.
• Confirm changelog entry accuracy.

🐰
I hopped through code at break of day,
Locked keys and types to keep mischief away,
A tiny guard in a quiet nest,
Keeping secrets snug and blessed,
Cheers to safe stores—now hop and play! 🥕🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective of the PR, which is to make crypto store settings immutable.
Description check	✅ Passed	The description includes the required sections (Description, Check List) and explains the change well, though it lacks a Related Issues section with issue number.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kumargu]

and vice versa? if you have cryptofs as store type it cannot be modified.

[kumargu]

this could be included in restrictedCryptoSettings.

[RajatGupta02]

yeah we should also prevent cryptofs -> non-cryptofs update. But it shouldn't be included in restrictedCryptoSettings as it will prevent prevent ALL store type changes for all indices.

[github-actions]

❌ Gradle check result for 65126b1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (3)

145-145: Consider moving crypto validation inside the execute() method for consistency.

The validation uses clusterService.state(), which gets the cluster state at submission time. However, validateSearchReplicaCountSettings (line 296) performs similar index-specific validation inside the execute() method using the execution-time currentState. Moving validateCryptoStoreSettings inside execute() would ensure validation against the authoritative state and maintain consistency with the pattern used for other index-specific validations.

While the bidirectional nature of the cryptofs checks (blocking both TO and FROM) provides inherent safety against race conditions, aligning with the existing pattern would be clearer.

---

594-608: LGTM! Clear validation logic for crypto setting immutability.

The validation correctly enforces that crypto settings cannot be modified after index creation. The straightforward check against indexSettings.keySet() is appropriate and efficient.

Optional improvements:

1. Extract the restricted settings array as a class-level constant for better maintainability:

+    private static final String[] RESTRICTED_CRYPTO_SETTINGS = {
+        "index.store.crypto.key_provider",
+        "index.store.crypto.kms.key_arn",
+        "index.store.crypto.kms.encryption_context"
+    };
+
     /**
-     * Validates crypto store settings are immutable after index creation.
+     * Validates that crypto-related store settings are immutable after index creation.
+     * Prevents updates to crypto configuration settings and validates store type changes
+     * to/from cryptofs are not permitted.
      */
     public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) {
-        final String[] restrictedCryptoSettings = {
-            "index.store.crypto.key_provider",
-            "index.store.crypto.kms.key_arn",
-            "index.store.crypto.kms.encryption_context" };
-
         // Crypto settings are completely immutable - reject any attempt to modify them
-        for (String settingKey : restrictedCryptoSettings) {
+        for (String settingKey : RESTRICTED_CRYPTO_SETTINGS) {

2. Enhanced JavaDoc provides clearer documentation of the method's purpose.

---

610-628: LGTM! Bidirectional cryptofs validation correctly implemented.

The logic properly prevents both changing TO cryptofs and changing FROM cryptofs, addressing the concern raised in past review comments. The approach of checking store type changes separately from the other crypto settings is appropriate, as it allows this validation to be granular (only affecting cryptofs) rather than blocking all store type changes.

Minor enhancement: The error messages could be more consistent in explaining the rationale:

                 // Prevent changing TO cryptofs
                 if ("cryptofs".equals(newStoreType) && !"cryptofs".equals(currentStoreType)) {
-                    throw new IllegalArgumentException("Cannot change store type to 'cryptofs' for index [" + index.getName() + "]");
+                    throw new IllegalArgumentException(
+                        "Cannot change store type to 'cryptofs' for index [" + index.getName() + "] - cryptofs store type is immutable"
+                    );
                 }

Based on past review comments, the decision to handle store type separately from restrictedCryptoSettings is correct, as including it there would prevent all store type changes for all indices.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65126b1 and 5cbc0c5.

📒 Files selected for processing (1)

• server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: Analyze (java)
• GitHub Check: detect-breaking-change

🔇 Additional comments (1)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (1)

594-629: Well-structured validation method that successfully enforces crypto setting immutability.

The implementation effectively achieves the PR objective by:

1. ✅ Preventing updates to crypto configuration settings (key_provider, kms.key_arn, kms.encryption_context)
2. ✅ Preventing store type changes to cryptofs from non-cryptofs
3. ✅ Preventing store type changes from cryptofs to non-cryptofs
4. ✅ Addressing the bidirectional requirement mentioned in past review comments

The validation logic is sound and the error messages are informative.

[kumargu]

cc @cwperks , could you please review?

[github-actions]

✅ Gradle check result for 5cbc0c5: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.32%. Comparing base (97d3864) to head (5cbc0c5).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
...luster/metadata/MetadataUpdateSettingsService.java	33.33%	8 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20123      +/-   ##
============================================
- Coverage     73.33%   73.32%   -0.02%     
+ Complexity    71679    71645      -34     
============================================
  Files          5790     5786       -4     
  Lines        327549   327769     +220     
  Branches      47181    47212      +31     
============================================
+ Hits         240217   240329     +112     
- Misses        68080    68151      +71     
- Partials      19252    19289      +37     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cwperks]

I think this can be done through properties like Property.Filtered or Property.InternalIndex

See https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/common/settings/Setting.java#L160-L164

The last param in https://github.com/opensearch-project/OpenSearch/blob/main/plugins/crypto-kms/src/main/java/org/opensearch/crypto/kms/KmsService.java#L53 is a vararg list of properties.

[RajatGupta02]

Oh, yes, this is neat, didn't know about this, thanks!