[BUG] PPL Alerting: Coarse-grained Error Handling of PPL Monitor Query Validation #1967
Description
What is the bug?
The current PPL Monitor creation logic validates the PPL query by taking the raw untouched query inputted, running it against the PPL plugin in a try catch, and returning whatever error PPL plugin throws to the user (if one was returned). This approach is one size fits all and not fine-grained. PPL Syntax errors throw the same status code as the user not having permissions to the index being queries (both throw 400), even though the error message is fine-grained enough to specify the error. Permissions errors should throw a 403, not a 400.
This can be done in 2 ways:
- (preferred) Do a separate Alerting level check of the index permissions themselves by scanning the query for indices, and running a search call against those indices. If a permissions error from Security plugin is given, relay that error as a 403, otherwise, proceed to validating the query against PPL plugin.
- Read and interpret the PPL plugin response to determine what status code should be thrown
How can one reproduce the bug?
Steps to reproduce the behavior:
Create a V2 Monitor with a valid PPL query on an index the current user does not have permissions to. The creation fails as expected, but the status code returned is 400, and the error message is a generic Security plugin error that does not specify what indices the user does not have access to.
What is the expected behavior?
Index permissions errors should return 403 and be explicit about the indices the current user does not have access to.