Authorization denial errors are not actionable #42166
Description
The access denied error message is:
action [{}] is unauthorized for user [{}]
This has a few problems:
- In the case of an index level action, it doesn't tell you which index was denied.
- It doesn't list the user's roles
- We discourage security administrators from assigning raw actions to roles, but that is the only information that is provided in the error.
When users run into these errors they aren't being given enough information to be able to solve the problem. We need to be more explicit about exactly what was rejected and the options to resolve it.
One idea was to include a list of the cluster/index privileges that would grant this action (perhaps roughly sorted from least-privilege to most-privileged)