cwperks · cwperks · May 11, 2025 · May 11, 2025 · May 11, 2025 · May 12, 2025
@@ -1,5 +1,5 @@
 name: Dependabot PR actions
-on: pull_request
+on: pull_request_target
 
 jobs:
   dependabot:

@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 - [Resource Permissions] Introduces Centralized Resource Access Control Framework ([#5281](https://github.com/opensearch-project/security/pull/5281))
 - Github workflow for changelog verification ([#5318](https://github.com/opensearch-project/security/pull/5318))
+- Register cluster settings listener for `plugins.security.cache.ttl_minutes` ([#5324](https://github.com/opensearch-project/security/pull/5324))
 
 ### Changed
 
@@ -31,6 +32,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Fixed
 - Corrections in DlsFlsFilterLeafReader regarding PointVales and object valued attributes ([#5303](https://github.com/opensearch-project/security/pull/5303))
 - Fix issue computing diffs in compliance audit log when writing to security index ([#5279](https://github.com/opensearch-project/security/pull/5279))
+- Fixing dependabot broken pull_request workflow for changelog update ([#5331](https://github.com/opensearch-project/security/pull/5331))
 
 ### Security
 

@@ -0,0 +1,57 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+package org.opensearch.security;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.awaitility.Awaitility;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class SecuritySettingsTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(false)
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .users(USER_ADMIN)
+        .build();
+
+    @Test
+    public void testTtlInMinCanBeUpdatedDynamically() {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            TestRestClient.HttpResponse updateResponse = client.putJson("_cluster/settings", """
+                    {
+                        "persistent": { },
+                        "transient": {
+                            "plugins.security.cache.ttl_minutes": "1440"
+                        }
+                    }
+                """);
+
+            updateResponse.assertStatusCode(200);
+            Awaitility.await().untilAsserted(() -> {
+                TestRestClient.HttpResponse response = client.get("_plugins/_security/health");
+                assertThat(response.getBody(), containsString("\"" + ConfigConstants.SECURITY_CACHE_TTL_MINUTES + "\":1440"));
+            });
+        }
+    }
+}
@@ -1139,6 +1139,7 @@ public Collection<Object> createComponents(
 
         final XFFResolver xffResolver = new XFFResolver(threadPool);
         backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);
+        backendRegistry.registerClusterSettingsChangeListener(clusterService.getClusterSettings());
         tokenManager = new SecurityTokenManager(cs, threadPool, userService);
 
         final CompatConfig compatConfig = new CompatConfig(environment, transportPassiveAuthSetting);
@@ -1484,7 +1485,7 @@ public List<Setting<?>> getSettings() {
 
             settings.add(Setting.boolSetting(ConfigConstants.SECURITY_DISABLED, false, Property.NodeScope, Property.Filtered));
 
-            settings.add(Setting.intSetting(ConfigConstants.SECURITY_CACHE_TTL_MINUTES, 60, 0, Property.NodeScope, Property.Filtered));
+            settings.add(SecuritySettings.CACHE_TTL_SETTING);
 
             // Security
             settings.add(

@@ -50,6 +50,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.OpenSearchSecurityException;
+import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.transport.TransportAddress;
@@ -66,6 +67,7 @@
 import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.HostAndCidrMatcher;
+import org.opensearch.security.support.SecuritySettings;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 import org.opensearch.threadpool.ThreadPool;
@@ -98,7 +100,7 @@ public class BackendRegistry {
     private final AuditLog auditLog;
     private final ThreadPool threadPool;
     private final UserInjector userInjector;
-    private final int ttlInMin;
+    private int ttlInMin;
     private Cache<AuthCredentials, User> userCache; // rest standard
     private Cache<String, User> restImpersonationCache; // used for rest impersonation
     private Cache<User, Set<String>> restRoleCache; //
@@ -133,7 +135,15 @@ public void onRemoval(RemovalNotification<User, Set<String>> notification) {
                 }
             })
             .build();
+    }
+
+    public void registerClusterSettingsChangeListener(final ClusterSettings clusterSettings) {
+        clusterSettings.addSettingsUpdateConsumer(SecuritySettings.CACHE_TTL_SETTING, newTtlInMin -> {
+            log.info("Detected change in settings, cluster setting for TTL is {}", newTtlInMin);
 
+            ttlInMin = newTtlInMin;
+            createCaches();
+        });
     }
 
     public BackendRegistry(
@@ -165,6 +175,10 @@ public boolean isInitialized() {
         return initialized;
     }
 
+    public int getTtlInMin() {
+        return ttlInMin;
+    }
+
     public void invalidateCache() {
         userCache.invalidateAll();
         restImpersonationCache.invalidateAll();

@@ -49,6 +49,7 @@
 import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addDeprecatedRoutesPrefix;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
+import static org.opensearch.security.support.SecuritySettings.CACHE_TTL_SETTING;
 
 public class SecurityHealthAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
@@ -108,6 +109,10 @@ public void accept(RestChannel channel) throws Exception {
                     builder.field("message", message);
                     builder.field("mode", mode);
                     builder.field("status", status);
+                    // TODO Consider a separate settings API
+                    builder.startObject("settings");
+                    builder.field(CACHE_TTL_SETTING.getKey(), registry.getTtlInMin());
+                    builder.endObject();
                     builder.endObject();
                     response = new BytesRestResponse(restStatus, builder);
 

@@ -28,4 +28,12 @@ public class SecuritySettings {
         Setting.Property.Dynamic
     ); // Not filtered
 
+    public static final Setting<Integer> CACHE_TTL_SETTING = Setting.intSetting(
+        ConfigConstants.SECURITY_CACHE_TTL_MINUTES,
+        60,
+        0,
+        Setting.Property.NodeScope,
+        Setting.Property.Dynamic
+    ); // Not filtered
+
 }