[BUG] Misleading error message - Search error instead of Permission denied in dashboards

[aggarwalShivani]

(Raised new issue as the older one could not be reopened)

What is the bug?
When a user tries to access an index-pattern on dashboards for which they do not have read permission, then it displays "Search Error" with a stacktrace.

Problem
This is quite a misleading message and it would have been better to specify a Permission issue instead.

This behaviour has been running since Kibana versions > 7.8.
With kibana 7.8, on such a scenario, a clear permission error was displayed on the UI.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Install Opensearch, Opensearch-dashboards with security enabled
2. As admin user, create indices like log-default-17.12.2023 and test-default-17.12.2023.
3. Login to Opensearch-dashboards as admin user and create index patterns like log* and test* for the two indices respectively.
4. Create a user (say testuser) with read-write permissions only to log*
5. Login to Opensearch-dashboards UI with testuser and try to access the index pattern test* ( i.e. for which user has no permission.

What is the expected behavior?
A clear error message that, atleast indicates that it is related to permissions, must be displayed.
In opensearch pod logs, it does display that user didnt have permission for the required operation. However, the same is not displayed on Opensearch dashboards UI.

What is your host/environment?

• OS: rocky8
• Version: 2.11.0
• Plugins: Opensearch, Opensearch-dashboards with their rspective security plugins

Do you have any screenshots?
Attached.

Do you have any additional context?
Ref to previous tickets raised for this

• https://forum.opensearch.org/t/permission-denied-error-message-is-not-displayed-in-dashboard/14171
• [Permission denied Error message is not displayed in kibana, stacktrace is displayed] #1000 (had got closed due to inactivity)

[peternied]

[Triage] Thanks for filing, this does not look like the expected behavior - we'd be happy to accept a pull request to clean this up

[mrudrego]

@peternied can you please assign this issue to me, i'm willing to work on this ?

Thanks,

[peternied]

@mrudrego Thanks - I've assigned this issue to you, looking forward to seeing a PR

[mrudrego]

@peternied , the behaviour on the main branch of code has changed. When a user tries to access an index for which they do not have permission, we get Forbidden message as below.

I hope this is expected behaviour.

Only small concern/query is about the stacktrace showing the complete source code of the file. Can this cause any security issue?

Thanks,

[peternied]

@mrudrego That code is executed on the client side - there is no way to keep the call stack 'hidden' because the browser is executing it, nothing unexpected there - good question.

[mrudrego]

@peternied thanks for the response.
So i think we can close this bug since the fix is already available in the main branch and working as expected.