Protected Plugin Parameters

[xelalexv]

Is your feature request related to a problem? Please describe.

The ability to define plugins as the cluster admin, for namespace admins to use, is a great feature. For the namespace admin, it simplifies the way in which to opt in to a particular log sink. For the cluster admin, it's easy to keep consistent log sink configs. Currently, however namespace admins can change all parameters of a given plugin simply by setting desired values. For certain parameters, that's desired. However, other parameters may need to be protected to ensure a secure and compliant log sink configuration.

Example: Using the Splunk HEC plugin, namespace admins should be able to define the hec_token parameter, but we would not want them to change the hec_host or hec_port parameters.

Describe the solution you'd like

As a cluster admin defining plugins, I want to be able to specify per parameter of the plugin whether the namespace admins using the plugin are allowed to change them.

This could be done by defining a protected prefix for parameter names, e.g. !. If present, the parameter is protected.

Example:

<plugin splunk>
    @type splunk_hec
    !hec_host splunk.acme.com
    !hec_port 8088
    !protocol https
    !insecure_ssl false
    ...
</plugin>

Here, use of the HEC endpoint host & port, as well as secure HTTPS access would be enforced.

Describe alternatives you've considered

No response

Additional context

I have played with this and created an implementation as outlined above. If there is interest in this feature, I can open a PR.