Fix unsupported privileges error message during role and API key crea… (#128858)

gmjehovich · elasticsearchmachine · web-flow · commit 64460dfdae92 · 2025-06-04T18:46:18.000-04:00
* Fix unsupported privileges error message during role and API key creation

* Update docs/changelog/128858.yaml

* [CI] Auto commit changes from spotless

* Update docs/changelog/128858.yaml

---------

Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/docs/changelog/128858.yaml b/docs/changelog/128858.yaml
@@ -0,0 +1,6 @@
+pr: 128858
+summary: Fix unsupported privileges error message during role and API key crea…
+area: Authorization
+type: enhancement
+issues:
+ - 128132
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -396,7 +396,7 @@ private static Set<IndexPrivilege> resolve(Set<String> name) {
                         + part
                         + "]. a privilege must be either "
                         + "one of the predefined fixed indices privileges ["
-                        + Strings.collectionToCommaDelimitedString(VALUES.entrySet())
+                        + Strings.collectionToCommaDelimitedString(names().stream().sorted().collect(Collectors.toList()))
                         + "] or a pattern over one of the available index"
                         + " actions";
                     logger.debug(errorMessage);
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java
@@ -13,6 +13,7 @@
 import org.elasticsearch.action.index.TransportIndexAction;
 import org.elasticsearch.action.search.TransportSearchAction;
 import org.elasticsearch.action.update.TransportUpdateAction;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.util.iterable.Iterables;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.rollup.action.GetRollupIndexCapsAction;
@@ -21,8 +22,10 @@
 
 import java.util.Collection;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
 
 import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.findPrivilegesThatGrant;
 import static org.hamcrest.Matchers.containsInAnyOrder;
@@ -392,6 +395,28 @@ public void testCrossClusterReplicationPrivileges() {
         );
     }
 
+    public void testInvalidPrivilegeErrorMessage() {
+        final String unknownPrivilege = randomValueOtherThanMany(
+            i -> IndexPrivilege.values().containsKey(i),
+            () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)
+        );
+
+        IllegalArgumentException exception = expectThrows(
+            IllegalArgumentException.class,
+            () -> IndexPrivilege.resolveBySelectorAccess(Set.of(unknownPrivilege))
+        );
+
+        final String expectedFullErrorMessage = "unknown index privilege ["
+            + unknownPrivilege
+            + "]. a privilege must be either "
+            + "one of the predefined fixed indices privileges ["
+            + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList()))
+            + "] or a pattern over one of the available index"
+            + " actions";
+
+        assertEquals(expectedFullErrorMessage, exception.getMessage());
+    }
+
     public static IndexPrivilege resolvePrivilegeAndAssertSingleton(Set<String> names) {
         final Set<IndexPrivilege> splitBySelector = IndexPrivilege.resolveBySelectorAccess(names);
         assertThat("expected singleton privilege set but got " + splitBySelector, splitBySelector.size(), equalTo(1));
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/role/PutRoleRestIT.java
@@ -9,12 +9,17 @@
 
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;
 
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.stream.Collectors;
 
+import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.hasKey;
@@ -316,6 +321,19 @@ public void testBulkUpdates() throws Exception {
     public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {
         final String badRoleName = "bad-role";
 
+        final String unknownPrivilege = randomValueOtherThanMany(
+            i -> names().contains(i),
+            () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)
+        );
+
+        final String expectedExceptionMessage = "unknown index privilege ["
+            + unknownPrivilege
+            + "]. a privilege must be either "
+            + "one of the predefined fixed indices privileges ["
+            + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList()))
+            + "] or a pattern over one of the available index"
+            + " actions";
+
         final ResponseException exception = expectThrows(ResponseException.class, () -> upsertRoles(String.format("""
             {
                 "roles": {
@@ -326,17 +344,17 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {
                                     "indices": [
                                         {
                                             "names": ["allowed-index-prefix-*"],
-                                            "privileges": ["foobar"]
+                                            "privileges": ["%s"]
                                         }
                                     ]
                                 }
                             }
                         }
                     }
                 }
-            }""", badRoleName)));
+            }""", badRoleName, unknownPrivilege)));
 
-        assertThat(exception.getMessage(), containsString("unknown index privilege [foobar]"));
+        assertThat(exception.getMessage(), containsString(expectedExceptionMessage));
         assertEquals(400, exception.getResponse().getStatusLine().getStatusCode());
         assertRoleDoesNotExist(badRoleName);
     }

Original file line number	Diff line number	Diff line change
`@@ -9,12 +9,17 @@`
`9`	`9`
`10`	`10`	`import org.elasticsearch.client.Request;`
`11`	`11`	`import org.elasticsearch.client.ResponseException;`
	`12`	`+import org.elasticsearch.common.Strings;`
`12`	`13`	`import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;`
	`14`	`+import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;`
`13`	`15`	`import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;`
`14`	`16`
`15`	`17`	`import java.util.List;`
	`18`	`+import java.util.Locale;`
`16`	`19`	`import java.util.Map;`
	`20`	`+import java.util.stream.Collectors;`
`17`	`21`
	`22`	`+import static org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege.names;`
`18`	`23`	`import static org.hamcrest.Matchers.contains;`
`19`	`24`	`import static org.hamcrest.Matchers.containsString;`
`20`	`25`	`import static org.hamcrest.Matchers.hasKey;`
`@@ -316,6 +321,19 @@ public void testBulkUpdates() throws Exception {`
`316`	`321`	`public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {`
`317`	`322`	`final String badRoleName = "bad-role";`
`318`	`323`
	`324`	`+ final String unknownPrivilege = randomValueOtherThanMany(`
	`325`	`+ i -> names().contains(i),`
	`326`	`+ () -> randomAlphaOfLength(10).toLowerCase(Locale.ROOT)`
	`327`	`+ );`
	`328`	`+`
	`329`	`+ final String expectedExceptionMessage = "unknown index privilege ["`
	`330`	`+ + unknownPrivilege`
	`331`	`+ + "]. a privilege must be either "`
	`332`	`+ + "one of the predefined fixed indices privileges ["`
	`333`	`+ + Strings.collectionToCommaDelimitedString(IndexPrivilege.names().stream().sorted().collect(Collectors.toList()))`
	`334`	`+ + "] or a pattern over one of the available index"`
	`335`	`+ + " actions";`
	`336`	`+`
`319`	`337`	`final ResponseException exception = expectThrows(ResponseException.class, () -> upsertRoles(String.format("""`
`320`	`338`	`{`
`321`	`339`	`"roles": {`
`@@ -326,17 +344,17 @@ public void testPutRoleWithInvalidManageRolesPrivilege() throws Exception {`
`326`	`344`	`"indices": [`
`327`	`345`	`{`
`328`	`346`	`"names": ["allowed-index-prefix-*"],`
`329`		`- "privileges": ["foobar"]`
	`347`	`+ "privileges": ["%s"]`
`330`	`348`	`}`
`331`	`349`	`]`
`332`	`350`	`}`
`333`	`351`	`}`
`334`	`352`	`}`
`335`	`353`	`}`
`336`	`354`	`}`
`337`		`- }""", badRoleName)));`
	`355`	`+ }""", badRoleName, unknownPrivilege)));`
`338`	`356`
`339`		`- assertThat(exception.getMessage(), containsString("unknown index privilege [foobar]"));`
	`357`	`+ assertThat(exception.getMessage(), containsString(expectedExceptionMessage));`
`340`	`358`	`assertEquals(400, exception.getResponse().getStatusLine().getStatusCode());`
`341`	`359`	`assertRoleDoesNotExist(badRoleName);`
`342`	`360`	`}`