More

Author: n1v0lg

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/FailureStoreSecurityRestIT.java

@@ -46,7 +46,7 @@ public void testFailureStoreAccess() throws IOException {
 
         createUser(DATA_ACCESS_USER, PASSWORD, List.of(dataAccessRole));
         createUser(FAILURE_STORE_ACCESS_USER, PASSWORD, List.of(failureStoreAccessRole));
-        createUser(BOTH_ACCESS_USER, PASSWORD, List.of(bothAccessRole));
+        createUser(BOTH_ACCESS_USER, PASSWORD, randomBoolean() ? List.of(bothAccessRole) : List.of(dataAccessRole, failureStoreAccessRole));
         createUser(WRITE_ACCESS_USER, PASSWORD, List.of(writeAccessRole));
 
         upsertRole(Strings.format("""

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java

@@ -505,6 +505,7 @@ public static void buildRoleFromDescriptors(
                 runAs.addAll(Arrays.asList(descriptor.getRunAs()));
             }
 
+            // TODO we need to prevent read_failures with DLS or FLS; we need to avoid merging such groups
             MergeableIndicesPrivilege.collatePrivilegesByIndices(descriptor.getIndicesPrivileges(), true, restrictedIndicesPrivilegesMap);
             MergeableIndicesPrivilege.collatePrivilegesByIndices(descriptor.getIndicesPrivileges(), false, indicesPrivilegesMap);