Fix assertion

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
@@ -60,7 +61,13 @@ public static ActionRequestValidationException validate(
                 validationException = addValidationError("remote index cluster alias cannot be an empty string", validationException);
             }
             try {
-                IndexPrivilege.getSplitBySelector(Set.of(ridp.indicesPrivileges().getPrivileges()));
+                var privileges = IndexPrivilege.getSplitBySelector(Set.of(ridp.indicesPrivileges().getPrivileges()));
+                if (privileges.stream().anyMatch(p -> p.getSelectorPrivilege() == IndexComponentSelectorPrivilege.FAILURES)) {
+                    validationException = addValidationError(
+                        "remote index privileges cannot contain privileges that grant access to the failure store",
+                        validationException
+                    );
+                }
             } catch (IllegalArgumentException ile) {
                 validationException = addValidationError(ile.getMessage(), validationException);
             }

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityFcActionAuthorizationIT.java

@@ -435,7 +435,7 @@ public void testUpdateCrossClusterApiKey() throws Exception {
                         + "for user [foo] with assigned roles [role] authenticated by API key id ["
                         + apiKeyId
                         + "] of user [test_user] on indices [index], this action is granted by the index privileges "
-                        + "[view_index_metadata,manage,read,all]"
+                        + "[read,view_index_metadata,manage,all]"
                 )
             );
 
@@ -483,7 +483,7 @@ public void testUpdateCrossClusterApiKey() throws Exception {
                         + "for user [foo] with assigned roles [role] authenticated by API key id ["
                         + apiKeyId
                         + "] of user [test_user] on indices [index], this action is granted by the index privileges "
-                        + "[view_index_metadata,manage,read,all]"
+                        + "[read,view_index_metadata,manage,all]"
                 )
             );
         }