Remove special handling for do_not_fail_on_forbidden on cluster actions

[nibix]

The special handling for do_not_fail_on_forbidden on cluster actions does not provide any benefits - rather it just causes some inconsistent behavior. See #4485 for the details.

This is part of the work done for #3870

Description

• Category: Enhancement and bug fix
• Why these changes are required? - The present behavior is inconsistent and confusing. Additionally, it does unnecessary computations on index sets, which can potentially decrease action throughput
• What is the old behavior before changes and new behavior after changes? - Both clusters with do_not_fail_on_forbidden set to true and to false will need the same set of privileges for multi actions and scroll actions. The need to specify indices:data/read/mget, indices:data/read/msearch, indices:data/read/mtv, indices:data/read/scroll and indices:data/read/search/template/render as index permissions in the roles config will go away.

Issues Resolved

• Resolves #4485

Testing

• Tests in DoNotFailOnForbiddenTests have been adapted.

Check List

• [x] New functionality includes testing
• [ ] New functionality has been documented
• [ ] New Roles/Permissions have a corresponding security dashboards plugin PR - not necessary
• [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 65.24%. Comparing base (faa8bf9) to head (fba55ac). Report is 1 commits behind head on main.

Additional details and impacted files

[](https://app.codecov.io/gh/opensearch-project/security/pull/4486?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project) ```diff @@ Coverage Diff @@ ## main #4486 +/- ## ========================================== - Coverage 65.27% 65.24% -0.03% ========================================== Files 313 313 Lines 22058 22045 -13 Branches 3563 3559 -4 ========================================== - Hits 14398 14384 -14 + Misses 5889 5887 -2 - Partials 1771 1774 +3 ``` | [Files](https://app.codecov.io/gh/opensearch-project/security/pull/4486?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project) | Coverage Δ | | |---|---|---| | [...earch/security/privileges/PrivilegesEvaluator.java](https://app.codecov.io/gh/opensearch-project/security/pull/4486?src=pr&el=tree&filepath=src%2Fmain%2Fjava%2Forg%2Fopensearch%2Fsecurity%2Fprivileges%2FPrivilegesEvaluator.java&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project#diff-c3JjL21haW4vamF2YS9vcmcvb3BlbnNlYXJjaC9zZWN1cml0eS9wcml2aWxlZ2VzL1ByaXZpbGVnZXNFdmFsdWF0b3IuamF2YQ==) | `72.29% <ø> (+0.12%)` | :arrow_up: | ... and [5 files with indirect coverage changes](https://app.codecov.io/gh/opensearch-project/security/pull/4486/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=opensearch-project)

[nibix]

To avoid any confusion: Yes, this is already complete. The only code-change not related to tests is the removal of the do_not_fail_on_forbidden special handling for cluster actions.