Fix identification of action type in error message (#68260)

Some actions that start with "indices:" are actually handled by
cluster privileges in ES security (e.g. indices:admin/template/*)
In #60357 and #66900 we added better context information for the
error messages that are generated when an action is denied, but the
generation of that message did not correctly classify actions between
cluster and index level privileges.

This change does 2 things:
1. It fixes the code that determines whether an action is handled by a
   cluster privilege or an index privilege
2. Includes the words "cluster" and "index" in the error message so
   that classification is clear to the reader

The latter change is not directly related to the issue being resolved,
but in the course of fixing the issue it became evident that the
message lacked clarity because it did not tell the reader what type of
privilege would be needed to resolve the access denied issue.

Resolves: #68144

Author: tvernum

x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java

@@ -147,7 +147,7 @@ public void testCanManageIndexWithNoPermissions() throws Exception {
                 assertThat(stepInfo.get("reason"), equalTo("action [indices:monitor/stats] is unauthorized" +
                     " for user [test_ilm]" +
                     " on indices [not-ilm]," +
-                    " this action is granted by the privileges [monitor,manage,all]"));
+                    " this action is granted by the index privileges [monitor,manage,all]"));
             }
         });
     }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/ApiKeyIntegTests.java

@@ -1218,14 +1218,14 @@ private Client getClientForRunAsUser() {
     private void assertErrorMessage(final ElasticsearchSecurityException ese, String action, String userName, String apiKeyId) {
         assertThat(ese, throwableWithMessage(
             containsString("action [" + action + "] is unauthorized for API key id [" + apiKeyId + "] of user [" + userName + "]")));
-        assertThat(ese, throwableWithMessage(containsString(", this action is granted by the privileges [")));
+        assertThat(ese, throwableWithMessage(containsString(", this action is granted by the cluster privileges [")));
         assertThat(ese, throwableWithMessage(containsString("manage_api_key,manage_security,all]")));
     }
 
     private void assertErrorMessage(final ElasticsearchSecurityException ese, String action, String userName) {
         assertThat(ese, throwableWithMessage(
             containsString("action [" + action + "] is unauthorized for user [" + userName + "]")));
-        assertThat(ese, throwableWithMessage(containsString(", this action is granted by the privileges [")));
+        assertThat(ese, throwableWithMessage(containsString(", this action is granted by the cluster privileges [")));
         assertThat(ese, throwableWithMessage(containsString("manage_api_key,manage_security,all]")));
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

@@ -636,15 +636,17 @@ private ElasticsearchSecurityException denialException(Authentication authentica
             message = message + " " + context;
         }
 
-        if (isIndexAction(action)) {
-            final Collection<String> privileges = IndexPrivilege.findPrivilegesThatGrant(action);
+        if (ClusterPrivilegeResolver.isClusterAction(action)) {
+            final Collection<String> privileges = ClusterPrivilegeResolver.findPrivilegesThatGrant(action, request, authentication);
             if (privileges != null && privileges.size() > 0) {
-                message = message + ", this action is granted by the privileges [" + collectionToCommaDelimitedString(privileges) + "]";
+                message = message + ", this action is granted by the cluster privileges ["
+                    + collectionToCommaDelimitedString(privileges) + "]";
             }
-        } else if (ClusterPrivilegeResolver.isClusterAction(action)) {
-            final Collection<String> privileges = ClusterPrivilegeResolver.findPrivilegesThatGrant(action, request, authentication);
+        } else if (isIndexAction(action)) {
+            final Collection<String> privileges = IndexPrivilege.findPrivilegesThatGrant(action);
             if (privileges != null && privileges.size() > 0) {
-                message = message + ", this action is granted by the privileges [" + collectionToCommaDelimitedString(privileges) + "]";
+                message = message + ", this action is granted by the index privileges ["
+                    + collectionToCommaDelimitedString(privileges) + "]";
             }
         }