Make crypto store settings immutable

[RajatGupta02]

Description

Opensearch-storage-encryption plugin introduces some index settings which should be immutable after index creation. This PR adds the validation to not allow these crypto settings update.

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• New Features

  • Enforces immutability of crypto-related store settings so sensitive store configuration cannot be altered after index creation.
  • Prevents invalid transitions of index store types involving encrypted store variants, rejecting attempts to switch to or from those types.

• Bug Fixes

  • Validations now run during settings updates to fail early on disallowed crypto-store changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

Adds a validator that prevents modifications to crypto-related index store settings (including switching to or from the cryptofs store type), integrates the validator into the settings update flow, and documents the change in the changelog.

Changes

Cohort / File(s)	Change Summary
Changelog CHANGELOG.md	Added an Unreleased 3.x entry documenting the new validation that makes crypto store settings immutable with a PR reference.
Crypto store validation server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java	Added public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) and invoked it from updateSettings(); enforces immutability of crypto-related settings and disallows changing index.store.type to or from cryptofs, throwing IllegalArgumentException on violations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review the new validation method for correctness across multi-index updates and edge cases (missing cluster metadata, partially matching indices).
• Verify exception types and messages align with existing validation patterns and are clear for callers.
• Confirm updateSettings() integration covers all code paths where index settings can be updated.

"I hopped through code at break of day,
Locked keys and types to keep mischief away,
A tiny guard in a quiet nest,
Keeping secrets snug and blessed,
Cheers to safe stores—now hop and play! 🥕🔐"

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Make crypto store settings immutable' clearly and concisely summarizes the main change: adding immutability validation for crypto store settings during index updates.
Description check	✅ Passed	The description provides context about the opensearch-storage-encryption plugin, explains why the change is needed (immutable settings post-creation), and indicates testing has been included. The template sections are mostly complete.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❌ Gradle check result for 65126b1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (3)

145-145: Consider moving crypto validation inside the execute() method for consistency.

The validation uses clusterService.state(), which gets the cluster state at submission time. However, validateSearchReplicaCountSettings (line 296) performs similar index-specific validation inside the execute() method using the execution-time currentState. Moving validateCryptoStoreSettings inside execute() would ensure validation against the authoritative state and maintain consistency with the pattern used for other index-specific validations.

While the bidirectional nature of the cryptofs checks (blocking both TO and FROM) provides inherent safety against race conditions, aligning with the existing pattern would be clearer.

---

594-608: LGTM! Clear validation logic for crypto setting immutability.

The validation correctly enforces that crypto settings cannot be modified after index creation. The straightforward check against indexSettings.keySet() is appropriate and efficient.

Optional improvements:

1. Extract the restricted settings array as a class-level constant for better maintainability:

+    private static final String[] RESTRICTED_CRYPTO_SETTINGS = {
+        "index.store.crypto.key_provider",
+        "index.store.crypto.kms.key_arn",
+        "index.store.crypto.kms.encryption_context"
+    };
+
     /**
-     * Validates crypto store settings are immutable after index creation.
+     * Validates that crypto-related store settings are immutable after index creation.
+     * Prevents updates to crypto configuration settings and validates store type changes
+     * to/from cryptofs are not permitted.
      */
     public static void validateCryptoStoreSettings(Settings indexSettings, Index[] indices, ClusterState clusterState) {
-        final String[] restrictedCryptoSettings = {
-            "index.store.crypto.key_provider",
-            "index.store.crypto.kms.key_arn",
-            "index.store.crypto.kms.encryption_context" };
-
         // Crypto settings are completely immutable - reject any attempt to modify them
-        for (String settingKey : restrictedCryptoSettings) {
+        for (String settingKey : RESTRICTED_CRYPTO_SETTINGS) {

2. Enhanced JavaDoc provides clearer documentation of the method's purpose.

---

610-628: LGTM! Bidirectional cryptofs validation correctly implemented.

The logic properly prevents both changing TO cryptofs and changing FROM cryptofs, addressing the concern raised in past review comments. The approach of checking store type changes separately from the other crypto settings is appropriate, as it allows this validation to be granular (only affecting cryptofs) rather than blocking all store type changes.

Minor enhancement: The error messages could be more consistent in explaining the rationale:

                 // Prevent changing TO cryptofs
                 if ("cryptofs".equals(newStoreType) && !"cryptofs".equals(currentStoreType)) {
-                    throw new IllegalArgumentException("Cannot change store type to 'cryptofs' for index [" + index.getName() + "]");
+                    throw new IllegalArgumentException(
+                        "Cannot change store type to 'cryptofs' for index [" + index.getName() + "] - cryptofs store type is immutable"
+                    );
                 }

Based on past review comments, the decision to handle store type separately from restrictedCryptoSettings is correct, as including it there would prevent all store type changes for all indices.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65126b1 and 5cbc0c5.

📒 Files selected for processing (1)

• server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: Analyze (java)
• GitHub Check: detect-breaking-change

🔇 Additional comments (1)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (1)

594-629: Well-structured validation method that successfully enforces crypto setting immutability.

The implementation effectively achieves the PR objective by:

1. ✅ Preventing updates to crypto configuration settings (key_provider, kms.key_arn, kms.encryption_context)
2. ✅ Preventing store type changes to cryptofs from non-cryptofs
3. ✅ Preventing store type changes from cryptofs to non-cryptofs
4. ✅ Addressing the bidirectional requirement mentioned in past review comments

The validation logic is sound and the error messages are informative.

[kumargu]

cc @cwperks , could you please review?

[github-actions]

✅ Gradle check result for 5cbc0c5: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 23.07692% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.26%. Comparing base (967c809) to head (c80fe0f).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
...luster/metadata/MetadataUpdateSettingsService.java	23.07%	9 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20123      +/-   ##
============================================
+ Coverage     73.23%   73.26%   +0.03%     
- Complexity    71953    71977      +24     
============================================
  Files          5795     5795              
  Lines        329248   329262      +14     
  Branches      47410    47415       +5     
============================================
+ Hits         241122   241238     +116     
+ Misses        68841    68729     -112     
- Partials      19285    19295      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cbc0c5 and f26f1c4.

📒 Files selected for processing (1)

• server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: gradle-check
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: Analyze (java)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: detect-breaking-change

🔇 Additional comments (1)

server/src/main/java/org/opensearch/cluster/metadata/MetadataUpdateSettingsService.java (1)

145-145: Wiring the crypto store validator into updateSettings looks good

Calling validateCryptoStoreSettings alongside the other top-level validators (before building open/closed settings and submitting the cluster state update task) is consistent with the existing pattern and ensures invalid store-type transitions are rejected early.

[github-actions]

✅ Gradle check result for 7b8ca93: SUCCESS

[cwperks]

@RajatGupta02 would it make sense to add any tests here? Is cryptofs defined in the core or is that only available when ILE plugin is installed? If its only available when ILE is installed I wonder if we can somehow enforce within ILE. I know there are extension points to listen to cluster settings updates and I imagine index settings update have a similar listener to hook into.

The changes in the PR itself look fine to me.

[RajatGupta02]

@RajatGupta02 would it make sense to add any tests here? Is cryptofs defined in the core or is that only available when ILE plugin is installed? If its only available when ILE is installed I wonder if we can somehow enforce within ILE. I know there are extension points to listen to cluster settings updates and I imagine index settings update have a similar listener to hook into.

Yeah, its available only when ILE is installed.

[github-actions]

❌ Gradle check result for c9d2bb9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[opensearch-trigger-bot]

This PR is stalled because it has been open for 30 days with no activity.

[github-actions]

❌ Gradle check result for 7e2bf8e: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c80fe0f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c80fe0f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c80fe0f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c80fe0f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c80fe0f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for c80fe0f: SUCCESS