diff --git a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java index 14902e5196..70219b07f4 100644 --- a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java @@ -203,7 +203,7 @@ private PrivilegesEvaluatorResponse evaluateNewSecuredIndicesAccess( Boolean isDebugEnabled ) { - if (matchAnyDenyIndices(requestedResolved)){ + if (matchAnyDenyIndices(requestedResolved)) { auditLog.logSecurityIndexAttempt(request, action, task); if (log.isInfoEnabled()) { log.info( diff --git a/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java b/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java index d97f46d882..3a89f94d8c 100644 --- a/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluatorTest.java @@ -160,6 +160,22 @@ public void protectedActionLocalAll() { verify(log).info("{} for '_all' indices is not allowed for a regular user", "indices:data/write"); } + @Test + public void protectedActionLocalAllWithNewAccessControl() { + setupEvaluatorWithSystemIndicesControl(); + final Resolved resolved = Resolved._LOCAL_ALL; + + // Action + evaluator.evaluate(request, task, PROTECTED_ACTION, resolved, presponse, securityRoles); + verify(log).isDebugEnabled(); + + verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); + assertThat(presponse.allowed, is(false)); + verify(presponse).markComplete(); + verify(presponse).isComplete(); + verify(log).isDebugEnabled(); + verify(log).info("{} for '_all' indices is not allowed for a regular user", "indices:data/write"); + } @Test public void protectedActionSystemIndex() { setupEvaluatorWithSystemIndicesControl();