[FEATURE] Support Security Config Updates on the REST API

[terryquigleysas]

Is your feature request related to a problem?
We need to be able to update elements of the security config. We have found the REST API to work but have so far been prevented from using it as it appears to be marked as unsupported.

From https://opensearch.org/docs/latest/security/access-control/api/#patch-configuration the property that needs to be set is called:
plugins.security.unsupported.restapi.allow_securityconfig_modification: true

What solution would you like?
As raised in the last backlog and triage meeting, could the naming of this be made more neutral (i.e. removal or replacement of "unsupported") and confirmation provided that there is no functional reason why this call does not work?

What alternatives have you considered?
As an additional note we have attempted to use the securityadmin.sh script to reload the config. As well as being more unwieldy for or use case it no longer works for one of the scenarios we need to support due to the new requirement for TLS to be enabled for the script to work in OpenSearch 2.x

[stephen-crawford]

[Triage] Hi @terryquigleysas, thank you for filing this issue. I will take a moment to update the code to show that it is working as expected.

[terryquigleysas]

@scrawfor99 Thanks for taking this on. Is there other information you require from me?

As mentioned above and at the triage meetings it would be great if the following were possible:

1. Confirmation that the REST API calls (PATCH especially) to upgrade the security config work as expected.
   I know @peternied stated in the triage meeting that it should but, as I'm sure you appreciate, we require assurance in writing rather than verbally
2. Removal or replacement of "unsupported" wording - ideally by version 2.7.0 if possible.

This is currently holding up our ability to move to OpenSearch version 2.x unfortunately. Even if point 1) were answered we may be able to progress with that at our end.

[willyborankin]

@scrawfor99 and @peternied I can confirm that it works as expected we use it in our test env so far without any issue. The main problem that it is impossible to call the endpoint without superadmin access but together with REST API admin permissions it is possible. I can implement this feature. wdyt?

[peternied]

Sure thing, IMO there is no good reason to use unsupported in the name.

[ihendry2]

Hi @scrawfor99, @peternied and @willyborankin,
thanks for answering Terry's question can you confirm the following:-

• as above it works as expected?
• the only change that will be applied is the removal of unsupported in the name and no functional changes will be made?
• timeline/release version for the change being in place?
  Thanks

[stephen-crawford]

Hi @ihendry2, I believe that is correct. That being said, I never ended up implementing this personally. I believe that @willyborankin had mentioned interest in putting this together but I know they are also quite busy so I cannot speak to the state of the change. It is a small change so realistically could be implemented in the subsequent release.

[willyborankin]

Hi @ihendry2 yes i will add it asap after this feature #2411 has been checked on potential security problems which is part of the process.

[davidlago]

@willyborankin following up on this as #2411 merged. Are we good to close this one?

[willyborankin]

Hi @davidlago I'm going to open PR for this feature