From 8a173a85fa4381a81522064e8beacb6f99f3e6d5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 4 Feb 2025 19:04:13 +0000
Subject: [PATCH] [2.x] Avoid ConcurrentModificationException for User class
 fields (#5084)

Signed-off-by: shikharj05 <8859327+shikharj05@users.noreply.github.com>
(cherry picked from commit 05e56ec366a2df2a1d7076d6e0f7845067942c3c)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .../org/opensearch/security/securityconf/ConfigModelV7.java  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
index a30eda73ba..31bf626c7b 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
@@ -292,7 +292,10 @@ private Set<String> map(final User user, final TransportAddress caller) {
                 return Collections.emptySet();
             }
 
-            final Set<String> securityRoles = new HashSet<>(user.getSecurityRoles());
+            final Set<String> securityRoles = new HashSet<>();
+            synchronized (user.getSecurityRoles()) {
+                securityRoles.addAll(user.getSecurityRoles());
+            }
 
             if (rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH
                 || rolesMappingResolution == ConfigConstants.RolesMappingResolution.BACKENDROLES_ONLY) {