opensearch-project · cwperks · Oct 1, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 29, 2025
@@ -15,7 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [SecurityPlugin Health Check] Add AuthZ initialization completion check in health check API [(#5626)](https://github.com/opensearch-project/security/pull/5626)
 - [Resource Sharing] Adds API to provide dashboards support for resource access management ([#5597](https://github.com/opensearch-project/security/pull/5597))
 - Direct JWKS (JSON Web Key Set) support in the JWT authentication backend ([#5578](https://github.com/opensearch-project/security/pull/5578))
-
+- Make configuration setting for user custom attribute serialization dynamic ([#5657](https://github.com/opensearch-project/security/pull/5657))
 
 ### Bug Fixes
 

@@ -2267,14 +2267,7 @@ public List<Setting<?>> getSettings() {
                 )
             );
 
-            settings.add(
-                Setting.boolSetting(
-                    ConfigConstants.USER_ATTRIBUTE_SERIALIZATION_ENABLED,
-                    ConfigConstants.USER_ATTRIBUTE_SERIALIZATION_ENABLED_DEFAULT,
-                    Property.NodeScope,
-                    Property.Filtered
-                )
-            );
+            settings.add(SecuritySettings.USER_ATTRIBUTE_SERIALIZATION_ENABLED_SETTING);
         }
 
         return settings;
@@ -2288,7 +2281,18 @@ public List<String> getSettingsFilter() {
             return settingsFilter;
         }
         settingsFilter.add("opendistro_security.*");
-        settingsFilter.add("plugins.security.*");
+        settingsFilter.add("plugins.security.transport_user_cache.*");
+        settingsFilter.add("plugins.security.nodes_dn.*");
+        settingsFilter.add("plugins.security.restapi.*");
+        settingsFilter.add("plugins.security.ssl.*");
+        settingsFilter.add("plugins.security.config_version.*");
+        settingsFilter.add("plugins.security.nodes_dn_dynamic_config_enabled.*");
+        settingsFilter.add("plugins.security.privileges_evaluation.*");
+        settingsFilter.add("plugins.security.authcz.*");
+        settingsFilter.add("plugins.security.password.*");
+        settingsFilter.add("plugins.security.unsupported.*");
+        settingsFilter.add("plugins.security.audit.*");
+        settingsFilter.add("plugins.security.compliance.*");
         return settingsFilter;
     }
 

@@ -80,6 +80,7 @@
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.Metadata;
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.Strings;
@@ -105,6 +106,7 @@
 import org.opensearch.security.securityconf.impl.v7.TenantV7;
 import org.opensearch.security.support.Base64Helper;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.SecuritySettings;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.User;
 import org.opensearch.tasks.Task;
@@ -153,6 +155,7 @@ public class PrivilegesEvaluator {
     private PrivilegesInterceptor privilegesInterceptor;
 
     private final boolean checkSnapshotRestoreWritePrivileges;
+    private boolean isUserAttributeSerializationEnabled;
 
     private final ClusterInfoHolder clusterInfoHolder;
     private final ConfigurationRepository configurationRepository;
@@ -204,6 +207,10 @@ public PrivilegesEvaluator(
             ConfigConstants.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES,
             ConfigConstants.SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES
         );
+        this.isUserAttributeSerializationEnabled = settings.getAsBoolean(
+            USER_ATTRIBUTE_SERIALIZATION_ENABLED,
+            USER_ATTRIBUTE_SERIALIZATION_ENABLED_DEFAULT
+        );
 
         this.clusterInfoHolder = clusterInfoHolder;
         this.irr = irr;
@@ -236,6 +243,8 @@ public PrivilegesEvaluator(
                     actionPrivileges.clusterStateMetadataDependentPrivileges().updateClusterStateMetadataAsync(clusterService, threadPool);
                 }
             });
+
+            this.registerClusterSettingsChangeListener(clusterService.getClusterSettings());
         }
     }
 
@@ -286,8 +295,17 @@ public boolean isInitialized() {
         return configModel != null && dcm != null && actionPrivileges.get() != null;
     }
 
+    public void registerClusterSettingsChangeListener(final ClusterSettings clusterSettings) {
+        clusterSettings.addSettingsUpdateConsumer(
+            SecuritySettings.USER_ATTRIBUTE_SERIALIZATION_ENABLED_SETTING,
+            newIsUserAttributeSerializationEnabled -> {
+                isUserAttributeSerializationEnabled = newIsUserAttributeSerializationEnabled;
+            }
+        );
+    }
+
     private boolean isUserAttributeSerializationEnabled() {
-        return this.settings.getAsBoolean(USER_ATTRIBUTE_SERIALIZATION_ENABLED, USER_ATTRIBUTE_SERIALIZATION_ENABLED_DEFAULT);
+        return isUserAttributeSerializationEnabled;
     }
 
     private void setUserInfoInThreadContext(PrivilegesEvaluationContext context) {

@@ -693,7 +693,18 @@ public Settings additionalSettings() {
     public List<String> getSettingsFilter() {
         List<String> settingsFilter = new ArrayList<>();
         settingsFilter.add("opendistro_security.*");
-        settingsFilter.add("plugins.security.*");
+        settingsFilter.add("plugins.security.transport_user_cache.*");
+        settingsFilter.add("plugins.security.nodes_dn.*");
+        settingsFilter.add("plugins.security.restapi.*");
+        settingsFilter.add("plugins.security.ssl.*");
+        settingsFilter.add("plugins.security.config_version.*");
+        settingsFilter.add("plugins.security.nodes_dn_dynamic_config_enabled.*");
+        settingsFilter.add("plugins.security.privileges_evaluation.*");
+        settingsFilter.add("plugins.security.authcz.*");
+        settingsFilter.add("plugins.security.password.*");
+        settingsFilter.add("plugins.security.unsupported.*");
+        settingsFilter.add("plugins.security.audit.*");
+        settingsFilter.add("plugins.security.compliance.*");
         return settingsFilter;
     }
 

@@ -36,4 +36,10 @@ public class SecuritySettings {
         Setting.Property.Dynamic
     ); // Not filtered
 
+    public static final Setting<Boolean> USER_ATTRIBUTE_SERIALIZATION_ENABLED_SETTING = Setting.boolSetting(
+        ConfigConstants.USER_ATTRIBUTE_SERIALIZATION_ENABLED,
+        ConfigConstants.USER_ATTRIBUTE_SERIALIZATION_ENABLED_DEFAULT,
+        Setting.Property.NodeScope,
+        Setting.Property.Dynamic
+    ); // Not filtered
 }
@@ -29,6 +29,7 @@
 import org.opensearch.cluster.metadata.Metadata;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.security.auditlog.NullAuditLog;
@@ -47,6 +48,7 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.security.support.SecuritySettings.USER_ATTRIBUTE_SERIALIZATION_ENABLED_SETTING;
 import static org.junit.Assert.assertThrows;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -78,6 +80,7 @@ public void setUp() {
         setLoggingLevel(Level.DEBUG); // Enable debug logging scenarios for verification
         ClusterState clusterState = mock(ClusterState.class);
         when(clusterService.state()).thenReturn(clusterState);
+        when(clusterService.getClusterSettings()).thenReturn(new ClusterSettings(Settings.EMPTY, Set.of(USER_ATTRIBUTE_SERIALIZATION_ENABLED_SETTING)));
         Metadata metadata = mock(Metadata.class);
         when(clusterState.metadata()).thenReturn(metadata);
         when(metadata.getIndicesLookup()).thenReturn(new TreeMap<>());