Elasticsearch: Make reindex.remote.whitelist a dynamic setting?

Pinging @elastic/es-core-infra

@joshuar if it were dynamic, a malicious user could dynamically add a host to reindex.remote.whitelist and then continually request that the original ES server try to contact whatever host was added, essentially turning ES into a server that makes http connections on behalf of the malicious user. I don't think this should be a dynamic setting.

@joshuar, as @dakrone already explained, security is still the main concerned here. Making this setting dynamic would amplify the impact of a compromised server. For the users, who have other methods of protecting access to elasticsearch, there is an easy workaround of essentially disabling this setting by using a wildcard for the local domain, local subnet mask or even just *:9200 to completely open it.

We have discussed this and decided not to make this setting dynamic at this moment, but we might revisit this to possibly make this a cluster-wide setting during zen discovery redesign.

Perhaps this setting could be available only on index creation?

I noticed that index.sort.field can only be updated on a closed index or on create for performance and other operational concerns, but perhaps limiting to create only (or the elasticsearch.yaml) would be also secure - or even a reindex.remote.allow_dynamic_whitelist that is in the yaml?