[BUG] Inconsistent behaviour of msearch operation when feature "do_not_fail_on_forbidden" is enabled or disabled

[lukasz-soszynski-eliatra]

What is the bug?
Various set of permissions is required to perform msearch operation when the feature "do_not_fail_on_forbidden" is enabled or disabled

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Create and index marvelous_songs
2. Add some documents to index marvelous_songs
3. Disable feature do_not_fail_on_forbidden in security plugin configuration
4. Create a role limited-role with cluster permission indices:data/read/msearch and index permission indices:data/read/search assigned to marvelous_songs index
5. Create a user with the assigned role limited-role
6. Perform msearch operation to find some documents from marvelous_songs index. The operation works correctly and returns documents which match to search criteria
7. Enable the feature do_not_fail_on_forbidden
8. Perform again search operation described in point 6. The operation fails with 403 response code

To perform msearch operation when do_not_fail_on_forbidden feature is enabled an additional index permission indices:data/read/msearch is required.

What is the expected behavior?
The same set of cluster and index permissions is required to perform msearch operation when the feature "do_not_fail_on_forbidden" is enabled or disabled

What is your host/environment?

• OS: Ubuntu Linux 20.04 LTS
• Version 2.4.0-SNAPSHOT
• Plugins security plugin

Do you have any screenshots?
No

Do you have any additional context?
The problem was noticed during writing integration tests for do_not_fail_on_forbidden feature.

[lukasz-soszynski-eliatra]

A similar problem occurs in the case of scrolling and permission indices:data/read/scroll

[anubisg1]

this seem also related to #2120 and #1678

[stephen-crawford]

Hi @cwperks could you mark this as #help_wanted and #triaged?
Thank you

[stephen-crawford]

[Triage] This issue remains relevant and should continue to be a part of the backlog.