include index name in exception message

richard-dennehy · richard-dennehy · commit f14368575d35 · 2025-10-13T14:40:28.000+01:00
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@@ -717,7 +717,17 @@ private void handleIndexActionAuthorizationResult(
                 if (indexExpressions != null) {
                     indexExpressions.expressions().forEach(resolved -> {
                         if (resolved.localExpressions().localIndexResolutionResult() == CONCRETE_RESOURCE_UNAUTHORIZED) {
-                            resolved.localExpressions().setException(actionDenied(authentication, authzInfo, action, request));
+                            resolved.localExpressions()
+                                .setException(
+                                    actionDenied(
+                                        authentication,
+                                        authzInfo,
+                                        action,
+                                        request,
+                                        IndexAuthorizationResult.getFailureDescription(List.of(resolved.original()), restrictedIndices),
+                                        null
+                                    )
+                                );
                         }
                     });
                 }
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@@ -3899,7 +3899,8 @@ public void testSetExceptionOnMissingIndexWhenIgnoreUnavailable() {
         assertThat(
             expressions.get(1).localExpressions().exception().getMessage(),
             equalTo(
-                "action [indices:data/read/search] is unauthorized for user [user] with effective roles [partial-access-role], "
+                "action [indices:data/read/search] is unauthorized for user [user]" +
+                    " with effective roles [partial-access-role] on indices [not-available-index], "
                     + "this action is granted by the index privileges [read,all]"
             )
         );
