fixes

nibix · nibix · commit 7b86bff9dec0 · 2025-11-20T23:57:48.000+01:00
Signed-off-by: Nils Bandener &lt;nils.bandener@eliatra.com&gt;
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorImpl.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorImpl.java
@@ -414,7 +414,7 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)
                         if (!replaceResult.continueEvaluation) {
                             if (replaceResult.accessDenied) {
                                 auditLog.logMissingPrivileges(action0, request, task);
-                                return PrivilegesEvaluatorResponse.insufficient(action0);
+                                return presponse;
                             } else {
                                 return PrivilegesEvaluatorResponse.ok().with(replaceResult.createIndexRequestBuilder);
                             }
diff --git a/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java
@@ -280,7 +280,7 @@ private PrivilegesEvaluatorResponse evaluateSystemIndicesAccess(
                         .collect(Collectors.toList());
                     log.debug("Service account cannot access regular indices: {}", regularIndices);
                 }
-                return PrivilegesEvaluatorResponse.insufficient(action).reason("Service account cannot access regular indices");
+                return PrivilegesEvaluatorResponse.insufficient("").reason("Service account cannot access regular indices");
             }
             boolean containsProtectedIndex = requestContainsAnyProtectedSystemIndices(requestedResolved);
             if (containsProtectedIndex) {
@@ -332,7 +332,7 @@ private PrivilegesEvaluatorResponse evaluateSystemIndicesAccess(
                                 matchingPluginIndices
                             );
                         }
-                        return PrivilegesEvaluatorResponse.insufficient(action);
+                        return PrivilegesEvaluatorResponse.insufficient("");
                     }
                 }
             } else {
@@ -357,7 +357,7 @@ private PrivilegesEvaluatorResponse evaluateSystemIndicesAccess(
                 } else {
                     auditLog.logSecurityIndexAttempt(request, action, task);
                     log.warn("{} for '_all' indices is not allowed for a regular user", action);
-                    return PrivilegesEvaluatorResponse.insufficient(action);
+                    return PrivilegesEvaluatorResponse.insufficient("");
                 }
             }
             // if system index is enabled and system index permissions are enabled we don't need to perform any further
@@ -370,7 +370,7 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {
                         if (log.isDebugEnabled()) {
                             log.debug("Filtered '{}' but resulting list is empty", securityIndex);
                         }
-                        return PrivilegesEvaluatorResponse.insufficient(action);
+                        return PrivilegesEvaluatorResponse.insufficient("");
                     }
                     irr.replace(request, false, allWithoutSecurity.toArray(new String[0]));
                     if (log.isDebugEnabled()) {
@@ -380,7 +380,7 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {
                     auditLog.logSecurityIndexAttempt(request, action, task);
                     final String foundSystemIndexes = String.join(", ", getAllSystemIndices(requestedResolved));
                     log.warn("{} for '{}' index is not allowed for a regular user", action, foundSystemIndexes);
-                    return PrivilegesEvaluatorResponse.insufficient(action);
+                    return PrivilegesEvaluatorResponse.insufficient("");
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -414,7 +414,7 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)`
`414`	`414`	`if (!replaceResult.continueEvaluation) {`
`415`	`415`	`if (replaceResult.accessDenied) {`
`416`	`416`	`auditLog.logMissingPrivileges(action0, request, task);`
`417`		`- return PrivilegesEvaluatorResponse.insufficient(action0);`
	`417`	`+ return presponse;`
`418`	`418`	`} else {`
`419`	`419`	`return PrivilegesEvaluatorResponse.ok().with(replaceResult.createIndexRequestBuilder);`
`420`	`420`	`}`
Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ private PrivilegesEvaluatorResponse evaluateSystemIndicesAccess(`
`280`	`280`	`.collect(Collectors.toList());`
`281`	`281`	`log.debug("Service account cannot access regular indices: {}", regularIndices);`
`282`	`282`	`}`
`283`		`- return PrivilegesEvaluatorResponse.insufficient(action).reason("Service account cannot access regular indices");`
	`283`	`+ return PrivilegesEvaluatorResponse.insufficient("").reason("Service account cannot access regular indices");`
`284`	`284`	`}`
`285`	`285`	`boolean containsProtectedIndex = requestContainsAnyProtectedSystemIndices(requestedResolved);`
`286`	`286`	`if (containsProtectedIndex) {`
`@@ -332,7 +332,7 @@ private PrivilegesEvaluatorResponse evaluateSystemIndicesAccess(`
`332`	`332`	`matchingPluginIndices`
`333`	`333`	`);`
`334`	`334`	`}`
`335`		`- return PrivilegesEvaluatorResponse.insufficient(action);`
	`335`	`+ return PrivilegesEvaluatorResponse.insufficient("");`
`336`	`336`	`}`
`337`	`337`	`}`
`338`	`338`	`} else {`
`@@ -357,7 +357,7 @@ private PrivilegesEvaluatorResponse evaluateSystemIndicesAccess(`
`357`	`357`	`} else {`
`358`	`358`	`auditLog.logSecurityIndexAttempt(request, action, task);`
`359`	`359`	`log.warn("{} for '_all' indices is not allowed for a regular user", action);`
`360`		`- return PrivilegesEvaluatorResponse.insufficient(action);`
	`360`	`+ return PrivilegesEvaluatorResponse.insufficient("");`
`361`	`361`	`}`
`362`	`362`	`}`
`363`	`363`	`// if system index is enabled and system index permissions are enabled we don't need to perform any further`
`@@ -370,7 +370,7 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {`
`370`	`370`	`if (log.isDebugEnabled()) {`
`371`	`371`	`log.debug("Filtered '{}' but resulting list is empty", securityIndex);`
`372`	`372`	`}`
`373`		`- return PrivilegesEvaluatorResponse.insufficient(action);`
	`373`	`+ return PrivilegesEvaluatorResponse.insufficient("");`
`374`	`374`	`}`
`375`	`375`	`irr.replace(request, false, allWithoutSecurity.toArray(new String[0]));`
`376`	`376`	`if (log.isDebugEnabled()) {`
`@@ -380,7 +380,7 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) {`
`380`	`380`	`auditLog.logSecurityIndexAttempt(request, action, task);`
`381`	`381`	`final String foundSystemIndexes = String.join(", ", getAllSystemIndices(requestedResolved));`
`382`	`382`	`log.warn("{} for '{}' index is not allowed for a regular user", action, foundSystemIndexes);`
`383`		`- return PrivilegesEvaluatorResponse.insufficient(action);`
	`383`	`+ return PrivilegesEvaluatorResponse.insufficient("");`
`384`	`384`	`}`
`385`	`385`	`}`
`386`	`386`	`}`