fixed plugins unknown setting and disabled_rest_categories

CHANGELOG.md

@@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Bug Fixes
 - Fix audit log writing errors for rollover-enabled alias indices ([#5878](https://github.com/opensearch-project/security/pull/5878)
 - Fix the issue of unprocessed X-Request-Id ([#5954](https://github.com/opensearch-project/security/pull/5954))
+- Fix audit log `NONE` sentinel not respected for `disabled_rest_categories`, `disabled_transport_categories`, and `ignore_users` in dynamic configuration ([#6021](https://github.com/opensearch-project/security/pull/6021))
 - Improve DLS error message to identify undefined user attributes when query substitution fails ([#5975](https://github.com/opensearch-project/security/pull/5975))
 - Fix span propagation issue for tracing([#6006](https://github.com/opensearch-project/security/pull/6006))
 

src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java

@@ -256,9 +256,10 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
                     ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT
                 )
             );
-            final Set<String> ignoredAuditUsers = ImmutableSet.copyOf(
-                getOrDefault(properties, FilterEntries.IGNORE_USERS.getKey(), DEFAULT_IGNORED_USERS)
-            );
+            final List<String> rawIgnoredUsers = getOrDefault(properties, FilterEntries.IGNORE_USERS.getKey(), DEFAULT_IGNORED_USERS);
+            final Set<String> ignoredAuditUsers = rawIgnoredUsers.size() == 1 && "NONE".equalsIgnoreCase(rawIgnoredUsers.get(0))
+                ? Collections.emptySet()
+                : ImmutableSet.copyOf(rawIgnoredUsers);
             final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(
                 getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())
             );

src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java

@@ -34,6 +34,9 @@ public enum AuditCategory {
 
     public static Set<AuditCategory> parse(final Collection<String> categories) {
         if (categories.isEmpty()) return Collections.emptySet();
+        if (categories.size() == 1 && "NONE".equalsIgnoreCase(categories.iterator().next())) {
+            return Collections.emptySet();
+        }
 
         return categories.stream().map(String::toUpperCase).map(AuditCategory::valueOf).collect(ImmutableSet.toImmutableSet());
     }

src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java

@@ -13,7 +13,9 @@
 
 import java.util.Collections;
 import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 
@@ -118,6 +120,21 @@ public void testNone() {
         assertTrue(auditConfigFilter.getDisabledTransportCategories().isEmpty());
     }
 
+    @Test
+    public void testNoneViaMap() throws Exception {
+        // "NONE" sentinel should clear disabled categories and ignored users when set via the REST/Map path
+        final Map<String, Object> properties = new HashMap<>();
+        properties.put(FilterEntries.IGNORE_USERS.getKey(), List.of("NONE"));
+        properties.put(FilterEntries.DISABLE_REST_CATEGORIES.getKey(), List.of("None"));
+        properties.put(FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKey(), List.of("none"));
+
+        final AuditConfig.Filter auditConfigFilter = AuditConfig.Filter.from(properties);
+
+        assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredAuditUsersMatcher());
+        assertTrue(auditConfigFilter.getDisabledRestCategories().isEmpty());
+        assertTrue(auditConfigFilter.getDisabledTransportCategories().isEmpty());
+    }
+
     @Test
     public void testEmpty() {
         // arrange