Comment

Author: n1v0lg

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java

@@ -100,10 +100,13 @@ public String actionDenied(
                         + "]";
                 }
             } else if (isIndexAction(action)) {
+                // this includes `all`
                 final Collection<String> privileges = findIndexPrivilegesThatGrant(
                     action,
                     p -> p.getSelectorPredicate().test(IndexComponentSelector.DATA)
                 );
+                // this is an invariant since `all` is included in the above so the only way
+                // we can get an empty result here is a bogus action, which will never be covered by a failures privilege
                 assert false == privileges.isEmpty()
                     || findIndexPrivilegesThatGrant(
                         action,