[9.4] [Entity Analytics][Leads generation] Improve error states for ES index-level permission denials (#265956)#266434
Merged
kibanamachine merged 1 commit intoelastic:9.4from Apr 29, 2026
Conversation
…x-level permission denials (elastic#265956) ## Summary This PR improves the error handling in the Lead Generation feature when Elasticsearch index-level permissions are missing. Previously, `security_exception` errors from ES were silently swallowed, resulting in either empty data responses (misleading 200s) or unhelpful 500 errors. After this change, those errors propagate as proper HTTP 403 responses with an actionable message. --- ## Background The Lead Generation feature stores leads in `.entity-analytics.entity-leads-*` indices. Two separate permission layers protect these APIs: 1. **Kibana feature privileges** (`securitySolution` + `${APP_ID}-entity-analytics`) — enforced by the Kibana framework before the handler runs. Missing this results in a Kibana-level 403. 2. **Elasticsearch index-level privileges** — enforced by ES when `esClient.asCurrentUser` executes a query. Missing `read`/`write` access on the leads indices causes ES to return a `security_exception` with status 403. Layer 1 was already correctly configured on all routes. Layer 2 was silently absorbed. --- ## What was broken In `lead_data_client.ts`, the `findLeads`, `getStatus`, and `createLeads` methods all had catch blocks that swallowed every error: ```typescript // findLeads (before) } catch (e) { // checked only for index_not_found_exception; security_exception was also silently absorbed logger.error(`Unable to find leads due to error: ${e}`); return { leads: [], total: 0, page, perPage }; // misleading 200 OK } ``` A user without `.entity-analytics.entity-leads-*` read access would get back an empty list with a 200 OK instead of a 403 "access denied" response. For `createLeads`, the write would silently fail with only a log warning. ### API flow before fix ``` GET /internal/entity_analytics/leads returns { leads: [], total: 0 } 200 OK with empty data ``` --- ### API flow after fix ``` GET /internal/entity_analytics/leads transformError -> HTTP 403 - > frontend useQuery onError → toast: "security_exception: indices:data/read/search (...) is unauthorized for user [...]" ``` `index_not_found_exception` continues to be swallowed and returns an empty result, which is the intended behaviour before the indices are first created. --- ## Testing steps (before fix) 1. Create a Kibana role with `securitySolution` feature access but **no** access to `.entity-analytics.entity-leads-*` ES indices. 2. Log in as a user with that role. 3. `GET /internal/entity_analytics/leads` — returns `200 { leads: [], total: 0 }` instead of `403`. 4. `GET /internal/entity_analytics/leads/status` — returns `200 { isEnabled: false, indexExists: false, ... }` instead of `403`. ## Testing steps (after fix) Same setup: 3. `GET /internal/entity_analytics/leads` -> `403 security_exception: indices:data/read/search is unauthorized` 4. `GET /internal/entity_analytics/leads/status` -> `403 security_exception: ...` 5. UI: toast notification displays the permission error rather than showing empty leads. --------- Co-authored-by: Ying <ying.mao@elastic.co> (cherry picked from commit 812db45)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
Author
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto9.4:Questions ?
Please refer to the Backport tool documentation