Make plugins.security.dfm_empty_overrides_all dynamically toggleable

[cwperks]

Description

Companion core PR to make sure we authz this like any other security setting: opensearch-project/OpenSearch#20901

This PR makes plugins.security.dfm_empty_overrides_all toggleable at runtime by the cluster admin via Cluster settings API

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

Resolves #6002

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 73.83%. Comparing base (3661e7b) to head (8742e30).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...search/security/configuration/DlsFlsValveImpl.java	87.50%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6016   +/-   ##
=======================================
  Coverage   73.82%   73.83%           
=======================================
  Files         439      439           
  Lines       27122    27132   +10     
  Branches     4025     4026    +1     
=======================================
+ Hits        20024    20033    +9     
+ Misses       5192     5190    -2     
- Partials     1906     1909    +3     

Files with missing lines	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	84.93% <100.00%> (-0.02%)	⬇️
...privileges/dlsfls/AbstractRuleBasedPrivileges.java	96.34% <100.00%> (+0.02%)	⬆️
.../opensearch/security/support/SecuritySettings.java	85.71% <100.00%> (+2.38%)	⬆️
...search/security/configuration/DlsFlsValveImpl.java	65.78% <87.50%> (+0.52%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nibix]

Generally cool for me, but I am wondering whether we should perspectively pivot towards deprecating this and just having this on by default. In the end, this is IMHO just a backwards compat setting.

[cwperks]

Generally cool for me, but I am wondering whether we should perspectively pivot towards deprecating this and just having this on by default. In the end, this is IMHO just a backwards compat setting.

I'd be aligned with that. What I'm interested most for with this change is showing that we can authz settings updates (for sensitive settings via the PUT _cluster/settings API) the same way that we authz other security APIs.