Restrict master key reading from cluster settings API (opensearch-project#1825)

vamsimanohar · web-flow · commit a8ecd2fbfcca · 2023-07-10T17:36:15.000-07:00
Signed-off-by: Vamsi Manohar &lt;reddyvam@amazon.com&gt;
diff --git a/integ-test/src/test/java/org/opensearch/sql/datasource/DataSourceAPIsIT.java b/integ-test/src/test/java/org/opensearch/sql/datasource/DataSourceAPIsIT.java
@@ -17,14 +17,10 @@
 import java.util.ArrayList;
 import java.util.List;
 import lombok.SneakyThrows;
-import org.apache.commons.lang3.StringUtils;
 import org.junit.AfterClass;
 import org.junit.Assert;
-import org.junit.BeforeClass;
 import org.junit.Test;
-import org.opensearch.action.update.UpdateRequest;
 import org.opensearch.client.Request;
-import org.opensearch.client.RequestOptions;
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
 import org.opensearch.sql.datasource.model.DataSourceMetadata;
diff --git a/integ-test/src/test/java/org/opensearch/sql/datasource/DatasourceClusterSettingsIT.java b/integ-test/src/test/java/org/opensearch/sql/datasource/DatasourceClusterSettingsIT.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.sql.datasource;
+
+import static org.hamcrest.Matchers.equalTo;
+
+import java.io.IOException;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.json.JSONObject;
+import org.junit.Test;
+import org.opensearch.client.ResponseException;
+import org.opensearch.sql.legacy.TestUtils;
+import org.opensearch.sql.ppl.PPLIntegTestCase;
+
+public class DatasourceClusterSettingsIT extends PPLIntegTestCase {
+
+  private static final Logger LOG = LogManager.getLogger();
+  @Test
+  public void testGetDatasourceClusterSettings() throws IOException {
+    JSONObject clusterSettings = getAllClusterSettings();
+    assertThat(clusterSettings.query("/defaults/plugins.query.datasources.encryption.masterkey"),
+        equalTo(null));
+  }
+
+
+  @Test
+  public void testPutDatasourceClusterSettings() throws IOException {
+    final ResponseException exception =
+        expectThrows(ResponseException.class, () -> updateClusterSettings(new ClusterSetting(PERSISTENT,
+    "plugins.query.datasources.encryption.masterkey",
+        "masterkey")));
+    JSONObject resp = new JSONObject(TestUtils.getResponseBody(exception.getResponse()));
+    assertThat(resp.getInt("status"), equalTo(400));
+    assertThat(resp.query("/error/root_cause/0/reason"),
+        equalTo("final persistent setting [plugins.query.datasources.encryption.masterkey], not updateable"));
+    assertThat(resp.query("/error/type"), equalTo("settings_exception"));
+  }
+
+}
diff --git a/opensearch/src/main/java/org/opensearch/sql/opensearch/setting/OpenSearchSettings.java b/opensearch/src/main/java/org/opensearch/sql/opensearch/setting/OpenSearchSettings.java
@@ -113,7 +113,8 @@ public class OpenSearchSettings extends Settings {
       ENCYRPTION_MASTER_KEY.getKeyValue(),
       "0000000000000000",
       Setting.Property.NodeScope,
-      Setting.Property.Final);
+      Setting.Property.Final,
+      Setting.Property.Filtered);
 
   public static final Setting<String> DATASOURCE_URI_ALLOW_HOSTS = Setting.simpleString(
       Key.DATASOURCES_URI_ALLOWHOSTS.getKeyValue(),
