[FEATURE] Configuration Option to Set Default Algorithm for Field Masking

[terryquigleysas]

Is your feature request related to a problem? The field masking algorithm defaults to Blake2b. We'd like to be able to change this via a configuration option.

What solution would you like? Add configuration option, e.g. plugins.security.masked_fields.algorithm.default

This can be set to any of the other supported algorithms (e.g. SHA-512) https://opensearch.org/docs/latest/security/access-control/field-masking/#advanced-use-an-alternative-hash-algorithm

Do you have any additional context? As well as adding functionality for wider use it will also help for adding configurable options for FIPS compliance: https://github.com/opensearch-project/security/issues/3420

[terryquigleysas]

Please assign to me once triaged.

[cwperks]

[Triage] Thank you for filing this issue @terryquigleysas. I have assigned this to you and thank you for providing a reference implementation here.

What do you think about the setting being called plugins.security.masked_fields.algorithm? By having default on the path to the setting (plugins.security.masked_fields.algorithm.default) does this imply that it can be changed without a cluster reboot?

[terryquigleysas]

@cwperks The algorithm can be set per field as detailed in https://opensearch.org/docs/latest/security/access-control/field-masking/#advanced-use-an-alternative-hash-algorithm

When no specific algorithm is provided for a field the default is hardcoded to choose Blake2b. We want to provide an option to choose a default of our choice when a field has no algorithm specified. Initially this would be a static setting that would require a reboot.