Merge branch 'failure-store-authz-messages' of github.com:n1v0lg/elasticsearch into failure-store-authz-messages

n1v0lg · n1v0lg · commit 528bf5b70f75 · 2025-03-28T08:40:12.000+01:00
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@@ -1001,7 +1001,15 @@ public void testUnknownRoleCausesDenial() {
                 )
             )
         );
-        assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
+        assertThat(
+            securityException,
+            throwableWithMessage(
+                containsString(
+                    "this action is granted by the index privileges [read,all] for data access"
+                        + ", or [read_failure_store,all] for access via the failures selector"
+                )
+            )
+        );
 
         verify(auditTrail).accessDenied(eq(requestId), eq(authentication), eq(action), eq(request), authzInfoRoles(Role.EMPTY.names()));
         verifyNoMoreInteractions(auditTrail);
@@ -1047,7 +1055,15 @@ public void testServiceAccountDenial() {
             throwableWithMessage(containsString("[" + action + "] is unauthorized for service account [" + serviceUser.principal() + "]"))
         );
         verify(auditTrail).accessDenied(eq(requestId), eq(authentication), eq(action), eq(request), authzInfoRoles(role.names()));
-        assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
+        assertThat(
+            securityException,
+            throwableWithMessage(
+                containsString(
+                    "this action is granted by the index privileges [read,all] for data access"
+                        + ", or [read_failure_store,all] for access via the failures selector"
+                )
+            )
+        );
         verifyNoMoreInteractions(auditTrail);
     }
 
@@ -1097,7 +1113,15 @@ public void testThatRoleWithNoIndicesIsDenied() {
                 containsString("[" + action + "] is unauthorized" + " for user [test user]" + " with effective roles [no_indices]")
             )
         );
-        assertThat(securityException, throwableWithMessage(containsString("this action is granted by the index privileges [read,all]")));
+        assertThat(
+            securityException,
+            throwableWithMessage(
+                containsString(
+                    "this action is granted by the index privileges [read,all] for data access"
+                        + ", or [read_failure_store,all] for access via the failures selector"
+                )
+            )
+        );
 
         verify(auditTrail).accessDenied(
             eq(requestId),
