From 12cba2ddaa88db807d2a1d766d890af664ce13d3 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 16 Mar 2026 14:00:09 -0400 Subject: [PATCH 1/6] Make plugins.security.dfm_empty_overrides_all dynamically toggleable Signed-off-by: Craig Perkins --- ...fmEmptyOverridesAllDynamicSettingTest.java | 147 ++++++++++++++++++ .../security/OpenSearchSecurityPlugin.java | 4 +- .../configuration/DlsFlsValveImpl.java | 9 ++ .../dlsfls/AbstractRuleBasedPrivileges.java | 6 +- .../security/support/SecuritySettings.java | 8 + 5 files changed, 170 insertions(+), 4 deletions(-) create mode 100644 src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java diff --git a/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java b/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java new file mode 100644 index 0000000000..51823d8f1c --- /dev/null +++ b/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java @@ -0,0 +1,147 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.security.dlsfls; + +import java.io.IOException; + +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Test; + +import org.opensearch.test.framework.TestSecurityConfig.Role; +import org.opensearch.test.framework.TestSecurityConfig.User; +import org.opensearch.test.framework.cluster.ClusterManager; +import org.opensearch.test.framework.cluster.LocalCluster; +import org.opensearch.test.framework.cluster.TestRestClient; +import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.is; +import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; +import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; + +/** + * Integration tests verifying that plugins.security.dfm_empty_overrides_all can be toggled + * dynamically via the cluster settings API without requiring a node restart. + * + *

The setting controls whether a role without a DLS/FLS rule overrides roles that do have + * restrictions. When true, a role with no restriction on an index grants full access even if + * another mapped role restricts it. + */ +public class DfmEmptyOverridesAllDynamicSettingTest { + + static final String INDEX = "dfm_test_index"; + + static final User ADMIN_USER = new User("admin").roles(ALL_ACCESS); + + /** + * User with two roles: + * - one role that applies a DLS filter (only docs where dept=sales) + * - one role with a wildcard index pattern and NO DLS rule (unrestricted) + * + * When dfm_empty_overrides_all=true the unrestricted role wins and the user sees all docs. + * When dfm_empty_overrides_all=false the restricted role wins and the user sees only sales docs. + */ + static final User MIXED_ROLE_USER = new User("mixed_role_user").roles( + new Role("dls_restricted_role").clusterPermissions("cluster_composite_ops_ro") + .indexPermissions("read") + .dls("{\"term\":{\"dept\":\"sales\"}}") + .on(INDEX), + new Role("unrestricted_wildcard_role").clusterPermissions("cluster_composite_ops_ro").indexPermissions("read").on("*") + ); + + @ClassRule + public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) + .anonymousAuth(false) + .authc(AUTHC_HTTPBASIC_INTERNAL) + .users(ADMIN_USER, MIXED_ROLE_USER) + .build(); + + @BeforeClass + public static void createTestData() throws IOException { + try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { + client.putJson(INDEX + "/_doc/1?refresh=true", "{\"dept\":\"sales\",\"value\":1}"); + client.putJson(INDEX + "/_doc/2?refresh=true", "{\"dept\":\"engineering\",\"value\":2}"); + client.putJson(INDEX + "/_doc/3?refresh=true", "{\"dept\":\"marketing\",\"value\":3}"); + } + } + + private void setDfmEmptyOverridesAll(boolean enabled) throws IOException { + try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { + HttpResponse response = client.putJson( + "_cluster/settings", + String.format("{\"transient\":{\"plugins.security.dfm_empty_overrides_all\":%b}}", enabled) + ); + assertThat("Failed to update cluster setting", response.getStatusCode(), is(200)); + } + } + + private int countHits(TestRestClient client) throws IOException { + HttpResponse response = client.get(INDEX + "/_search?size=10"); + assertThat("Search failed", response.getStatusCode(), is(200)); + return response.getIntFromJsonBody("/hits/total/value"); + } + + @Test + public void testSettingFalse_restrictedRoleWins_userSeesOnlySalesDocs() throws IOException { + setDfmEmptyOverridesAll(false); + try (TestRestClient client = cluster.getRestClient(MIXED_ROLE_USER)) { + int hits = countHits(client); + assertThat("With dfm_empty_overrides_all=false, DLS filter should apply and only sales doc visible", hits, is(1)); + } + } + + @Test + public void testSettingTrue_unrestrictedRoleWins_userSeesAllDocs() throws IOException { + setDfmEmptyOverridesAll(true); + try (TestRestClient client = cluster.getRestClient(MIXED_ROLE_USER)) { + int hits = countHits(client); + assertThat("With dfm_empty_overrides_all=true, unrestricted role should override DLS and all docs visible", hits, is(3)); + } + } + + @Test + public void testDynamicToggle_fromTrueToFalse_restrictionApplied() throws IOException { + setDfmEmptyOverridesAll(true); + try (TestRestClient client = cluster.getRestClient(MIXED_ROLE_USER)) { + assertThat("Expected all docs visible when setting is true", countHits(client), is(3)); + } + + setDfmEmptyOverridesAll(false); + try (TestRestClient client = cluster.getRestClient(MIXED_ROLE_USER)) { + assertThat("Expected only sales doc visible after toggling setting to false", countHits(client), is(1)); + } + } + + @Test + public void testDynamicToggle_fromFalseToTrue_restrictionLifted() throws IOException { + setDfmEmptyOverridesAll(false); + try (TestRestClient client = cluster.getRestClient(MIXED_ROLE_USER)) { + assertThat("Expected only sales doc visible when setting is false", countHits(client), is(1)); + } + + setDfmEmptyOverridesAll(true); + try (TestRestClient client = cluster.getRestClient(MIXED_ROLE_USER)) { + assertThat("Expected all docs visible after toggling setting to true", countHits(client), is(3)); + } + } + + @Test + public void testAdminUser_alwaysSeesAllDocs_regardlessOfSetting() throws IOException { + setDfmEmptyOverridesAll(false); + try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { + assertThat("Admin should always see all docs", countHits(client), is(3)); + } + + setDfmEmptyOverridesAll(true); + try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { + assertThat("Admin should always see all docs", countHits(client), is(3)); + } + } +} diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index cb28906a9e..96a7fbc65a 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1646,9 +1646,7 @@ public List> getSettings() { Property.Filtered ) ); - settings.add( - Setting.boolSetting(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false, Property.NodeScope, Property.Filtered) - ); + settings.add(SecuritySettings.DFM_EMPTY_OVERRIDES_ALL_SETTING); settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".", Property.NodeScope)); // not // filtered // here diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java index da86749c52..76c607f9a0 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java @@ -151,6 +151,15 @@ public DlsFlsValveImpl( clusterService.getClusterSettings().addSettingsUpdateConsumer(SecuritySettings.DLS_WRITE_BLOCKED, newDlsWriteBlockedEnabled -> { dlsWriteBlockedEnabled = newDlsWriteBlockedEnabled; }); + clusterService.getClusterSettings() + .addSettingsUpdateConsumer(SecuritySettings.DFM_EMPTY_OVERRIDES_ALL_SETTING, newDfmEmptyOverridesAll -> { + DlsFlsProcessedConfig config = dlsFlsProcessedConfig.get(); + if (config != null) { + config.getDocumentPrivileges().setDfmEmptyOverridesAll(newDfmEmptyOverridesAll); + config.getFieldPrivileges().setDfmEmptyOverridesAll(newDfmEmptyOverridesAll); + config.getFieldMasking().setDfmEmptyOverridesAll(newDfmEmptyOverridesAll); + } + }); } this.resourceSharingEnabledSetting = resourceSharingEnabledSetting; } diff --git a/src/main/java/org/opensearch/security/privileges/dlsfls/AbstractRuleBasedPrivileges.java b/src/main/java/org/opensearch/security/privileges/dlsfls/AbstractRuleBasedPrivileges.java index f7ba4442c8..cb32e08811 100644 --- a/src/main/java/org/opensearch/security/privileges/dlsfls/AbstractRuleBasedPrivileges.java +++ b/src/main/java/org/opensearch/security/privileges/dlsfls/AbstractRuleBasedPrivileges.java @@ -90,7 +90,7 @@ abstract class AbstractRuleBasedPrivileges(roles, indexMetadata, roleToRuleFunction) : null; } + public void setDfmEmptyOverridesAll(boolean dfmEmptyOverridesAll) { + this.dfmEmptyOverridesAll = dfmEmptyOverridesAll; + } + /** * Returns true if the user identified in the PrivilegesEvaluationContext does not have any restrictions in any case, * independently of the indices they are requesting. diff --git a/src/main/java/org/opensearch/security/support/SecuritySettings.java b/src/main/java/org/opensearch/security/support/SecuritySettings.java index cb5e6c1cd1..62ab79b8c9 100644 --- a/src/main/java/org/opensearch/security/support/SecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/SecuritySettings.java @@ -49,4 +49,12 @@ public class SecuritySettings { Setting.Property.NodeScope, Setting.Property.Dynamic ); + + public static final Setting DFM_EMPTY_OVERRIDES_ALL_SETTING = Setting.boolSetting( + ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, + false, + Setting.Property.NodeScope, + Setting.Property.Dynamic, + Setting.Property.Filtered + ); } From a22ae2dc9eed63b84fbd0322be1ee5714923cb5e Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 16 Mar 2026 14:07:40 -0400 Subject: [PATCH 2/6] Remove Filtered Signed-off-by: Craig Perkins --- .../java/org/opensearch/security/support/SecuritySettings.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/java/org/opensearch/security/support/SecuritySettings.java b/src/main/java/org/opensearch/security/support/SecuritySettings.java index 62ab79b8c9..06b8fe6276 100644 --- a/src/main/java/org/opensearch/security/support/SecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/SecuritySettings.java @@ -54,7 +54,6 @@ public class SecuritySettings { ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false, Setting.Property.NodeScope, - Setting.Property.Dynamic, - Setting.Property.Filtered + Setting.Property.Dynamic ); } From 8742e30cf4c2b29f2fcee528d954541254f154ac Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 16 Mar 2026 14:12:09 -0400 Subject: [PATCH 3/6] Add CHANGELOG entry Signed-off-by: Craig Perkins --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19f38f2eb4..ebcc1b259a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,12 +14,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Make security plugin aware of FIPS build param (-Pcrypto.standard=FIPS-140-3) ([#5952](https://github.com/opensearch-project/security/pull/5952)) - Hardens input validation for resource sharing APIs ([#5831](https://github.com/opensearch-project/security/pull/5831) - Optimize getFieldFilter to only return a predicate when index has FLS restrictions for user ([#5777](https://github.com/opensearch-project/security/pull/5777)) +- Make `plugins.security.dfm_empty_overrides_all` dynamically toggleable ([#6016](https://github.com/opensearch-project/security/pull/6016) ### Bug Fixes - Fix audit log writing errors for rollover-enabled alias indices ([#5878](https://github.com/opensearch-project/security/pull/5878) - Fix the issue of unprocessed X-Request-Id ([#5954](https://github.com/opensearch-project/security/pull/5954)) - Improve DLS error message to identify undefined user attributes when query substitution fails ([#5975](https://github.com/opensearch-project/security/pull/5975)) + ### Refactoring ### Maintenance From 6d55eb267a8c80321ff89b49adf92b97eaf474a7 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 17 Mar 2026 17:18:20 -0400 Subject: [PATCH 4/6] Authorize Sensitive settings like other security APIs Signed-off-by: Craig Perkins --- .../SensitiveClusterSettingsAccessTest.java | 101 ++++++++++++++++++ .../security/filter/SecurityFilter.java | 39 +++++++ .../security/support/SecuritySettings.java | 3 +- 3 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java diff --git a/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java b/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java new file mode 100644 index 0000000000..0d41e5af47 --- /dev/null +++ b/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java @@ -0,0 +1,101 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.security.dlsfls; + +import java.util.List; +import java.util.Map; + +import org.junit.ClassRule; +import org.junit.Test; + +import org.opensearch.test.framework.TestSecurityConfig.Role; +import org.opensearch.test.framework.TestSecurityConfig.User; +import org.opensearch.test.framework.cluster.ClusterManager; +import org.opensearch.test.framework.cluster.LocalCluster; +import org.opensearch.test.framework.cluster.TestRestClient; +import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.is; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED; +import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL; +import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS; + +/** + * Verifies that plugins.security.dfm_empty_overrides_all (a Sensitive setting) can only be + * updated by users whose role is listed in plugins.security.restapi.roles_enabled, and that + * a user with only cluster:admin/settings/put is denied with 403. + */ +public class SensitiveClusterSettingsAccessTest { + + static final String DFM_SETTING_BODY = "{\"transient\":{\"plugins.security.dfm_empty_overrides_all\":true}}"; + + static final User SECURITY_ADMIN = new User("security_admin").roles(ALL_ACCESS); + + static final Role SETTINGS_ONLY_ROLE = new Role("settings_only_role").clusterPermissions( + "cluster:admin/settings/put", + "cluster:admin/settings/update" + ); + static final User SETTINGS_USER = new User("settings_user").roles(SETTINGS_ONLY_ROLE); + + @ClassRule + public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) + .anonymousAuth(false) + .authc(AUTHC_HTTPBASIC_INTERNAL) + .users(SECURITY_ADMIN, SETTINGS_USER) + .nodeSettings(Map.of(SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + SECURITY_ADMIN.getName() + "__" + ALL_ACCESS.getName()))) + .build(); + + @Test + public void adminCertUser_canUpdateSensitiveSetting() { + try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) { + HttpResponse response = client.putJson("_cluster/settings", DFM_SETTING_BODY); + assertThat(response.getStatusCode(), is(200)); + } + } + + @Test + public void securityAdmin_canUpdateSensitiveSetting() { + try (TestRestClient client = cluster.getRestClient(SECURITY_ADMIN)) { + HttpResponse response = client.putJson("_cluster/settings", DFM_SETTING_BODY); + assertThat(response.getStatusCode(), is(200)); + } + } + + @Test + public void userWithOnlyClusterSettingsPerm_cannotUpdateSensitiveSetting() { + try (TestRestClient client = cluster.getRestClient(SETTINGS_USER)) { + HttpResponse response = client.putJson("_cluster/settings", DFM_SETTING_BODY); + assertThat(response.getStatusCode(), is(403)); + } + } + + @Test + public void userWithOnlyClusterSettingsPerm_cannotUpdateMixedPayloadContainingSensitiveSetting() { + try (TestRestClient client = cluster.getRestClient(SETTINGS_USER)) { + HttpResponse response = client.putJson( + "_cluster/settings", + "{\"transient\":{\"indices.recovery.max_bytes_per_sec\":\"50mb\",\"plugins.security.dfm_empty_overrides_all\":true}}" + ); + assertThat(response.getStatusCode(), is(403)); + } + } + + @Test + public void userWithOnlyClusterSettingsPerm_canStillUpdateNonSensitiveSetting() { + try (TestRestClient client = cluster.getRestClient(SETTINGS_USER)) { + // indices.recovery.max_bytes_per_sec is a core Dynamic setting with no Sensitive property + HttpResponse response = client.putJson( + "_cluster/settings", + "{\"transient\":{\"indices.recovery.max_bytes_per_sec\":\"50mb\"}}" + ); + assertThat(response.getStatusCode(), is(200)); + } + } +} diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index f4e005d6a2..36699f44e8 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -31,6 +31,7 @@ import java.util.UUID; import java.util.function.Consumer; import java.util.stream.Collectors; +import java.util.stream.Stream; import com.google.common.annotations.VisibleForTesting; import com.google.common.collect.ImmutableSet; @@ -43,6 +44,8 @@ import org.opensearch.ResourceAlreadyExistsException; import org.opensearch.action.ActionRequest; import org.opensearch.action.DocWriteRequest.OpType; +import org.opensearch.action.admin.cluster.settings.ClusterUpdateSettingsAction; +import org.opensearch.action.admin.cluster.settings.ClusterUpdateSettingsRequest; import org.opensearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest; import org.opensearch.action.admin.indices.alias.Alias; import org.opensearch.action.admin.indices.alias.IndicesAliasesRequest; @@ -123,6 +126,7 @@ public class SecurityFilter implements ActionFilter { private final UserInjector userInjector; private final ResourceAccessEvaluator resourceAccessEvaluator; private final ThreadContextUserInfo threadContextUserInfo; + private final Set restApiAllowedRoles; public SecurityFilter( final Settings settings, @@ -153,6 +157,7 @@ public SecurityFilter( this.rolesInjector = new RolesInjector(auditLog); this.userInjector = new UserInjector(settings, threadPool, auditLog, xffResolver); this.resourceAccessEvaluator = resourceAccessEvaluator; + this.restApiAllowedRoles = Set.copyOf(settings.getAsList(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED)); this.threadContextUserInfo = new ThreadContextUserInfo( threadPool.getThreadContext(), privilegesConfiguration, @@ -436,6 +441,9 @@ private void ap } // not a resource‐sharing request → fall back into the normal PrivilegesEvaluator + if (checkSensitiveSettingsAccess(action, request, context, listener)) { + return; + } PrivilegesEvaluatorResponse pres = eval.evaluate(context); if (log.isDebugEnabled()) { @@ -520,6 +528,37 @@ private void ap } } + private boolean checkSensitiveSettingsAccess( + String action, + Request request, + PrivilegesEvaluationContext context, + ActionListener listener + ) { + if (!ClusterUpdateSettingsAction.NAME.equals(action)) { + return false; + } + ClusterUpdateSettingsRequest settingsRequest = (ClusterUpdateSettingsRequest) request; + boolean touchesSensitiveSetting = Stream.concat( + settingsRequest.transientSettings().keySet().stream(), + settingsRequest.persistentSettings().keySet().stream() + ).anyMatch(key -> cs.getClusterSettings().isSensitiveSetting(key)); + + if (!touchesSensitiveSetting) { + return false; + } + if (Collections.disjoint(restApiAllowedRoles, context.getMappedRoles())) { + log.debug("User {} does not have a role permitted to update sensitive cluster settings", context.getUser().getName()); + listener.onFailure( + new OpenSearchSecurityException( + "User " + context.getUser().getName() + " does not have permission to update sensitive cluster settings", + RestStatus.FORBIDDEN + ) + ); + return true; + } + return false; + } + private static boolean isUserAdmin(User user, final AdminDNs adminDns) { return user != null && adminDns.isAdmin(user); } diff --git a/src/main/java/org/opensearch/security/support/SecuritySettings.java b/src/main/java/org/opensearch/security/support/SecuritySettings.java index 06b8fe6276..61a17a953e 100644 --- a/src/main/java/org/opensearch/security/support/SecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/SecuritySettings.java @@ -54,6 +54,7 @@ public class SecuritySettings { ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false, Setting.Property.NodeScope, - Setting.Property.Dynamic + Setting.Property.Dynamic, + Setting.Property.Sensitive ); } From 03e8b5ff5a9a6d6473e07b7d2cafa1b30c670c80 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 24 Mar 2026 10:44:44 -0400 Subject: [PATCH 5/6] Fix compile issue Signed-off-by: Craig Perkins --- .../org/opensearch/security/configuration/DlsFlsValveImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java index 00ee6f4e5d..2865b6b64b 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java @@ -148,7 +148,7 @@ public DlsFlsValveImpl( }); clusterService.getClusterSettings() .addSettingsUpdateConsumer(SecuritySettings.DFM_EMPTY_OVERRIDES_ALL_SETTING, newDfmEmptyOverridesAll -> { - DlsFlsProcessedConfig config = dlsFlsProcessedConfig.get(); + DlsFlsProcessedConfig config = dlsFlsBaseContext.config(); if (config != null) { config.getDocumentPrivileges().setDfmEmptyOverridesAll(newDfmEmptyOverridesAll); config.getFieldPrivileges().setDfmEmptyOverridesAll(newDfmEmptyOverridesAll); From d6fe949c090c7e90b694bea7145e172c54cbeb8f Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 24 Mar 2026 13:14:57 -0400 Subject: [PATCH 6/6] Fix tests Signed-off-by: Craig Perkins --- .../dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java | 2 +- .../security/dlsfls/SensitiveClusterSettingsAccessTest.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java b/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java index 51823d8f1c..491a2e6b5e 100644 --- a/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java +++ b/src/integrationTest/java/org/opensearch/security/dlsfls/DfmEmptyOverridesAllDynamicSettingTest.java @@ -76,7 +76,7 @@ private void setDfmEmptyOverridesAll(boolean enabled) throws IOException { try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) { HttpResponse response = client.putJson( "_cluster/settings", - String.format("{\"transient\":{\"plugins.security.dfm_empty_overrides_all\":%b}}", enabled) + String.format("{\"persistent\":{\"plugins.security.dfm_empty_overrides_all\":%b}}", enabled) ); assertThat("Failed to update cluster setting", response.getStatusCode(), is(200)); } diff --git a/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java b/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java index 0d41e5af47..e29b86a4da 100644 --- a/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java +++ b/src/integrationTest/java/org/opensearch/security/dlsfls/SensitiveClusterSettingsAccessTest.java @@ -34,7 +34,7 @@ */ public class SensitiveClusterSettingsAccessTest { - static final String DFM_SETTING_BODY = "{\"transient\":{\"plugins.security.dfm_empty_overrides_all\":true}}"; + static final String DFM_SETTING_BODY = "{\"persistent\":{\"plugins.security.dfm_empty_overrides_all\":true}}"; static final User SECURITY_ADMIN = new User("security_admin").roles(ALL_ACCESS); @@ -81,7 +81,7 @@ public void userWithOnlyClusterSettingsPerm_cannotUpdateMixedPayloadContainingSe try (TestRestClient client = cluster.getRestClient(SETTINGS_USER)) { HttpResponse response = client.putJson( "_cluster/settings", - "{\"transient\":{\"indices.recovery.max_bytes_per_sec\":\"50mb\",\"plugins.security.dfm_empty_overrides_all\":true}}" + "{\"persistent\":{\"indices.recovery.max_bytes_per_sec\":\"50mb\",\"plugins.security.dfm_empty_overrides_all\":true}}" ); assertThat(response.getStatusCode(), is(403)); }