[BUG] do_not_fail_on_forbidden does not work with GET _all endpoint

[buddemat]

What is the bug?
The GET _all operation does not work as expected when do_not_fail_on_forbidden: true is set. A permission error is returned instead of a filtered list of results.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. set do_not_fail_on_forbidden: true
2. create read-only user and role on some index pattern (here: test-read*) as follows

   PUT _plugins/_security/api/roles/ROLE_RO         
   {                                                
     "cluster_permissions": [                       
     ],                                             
     "index_permissions": [{                        
       "index_patterns": [                          
         "test-read*"                               
       ],                                           
       "dls": "",                                   
       "fls": [],                                   
       "masked_fields": [],                         
       "allowed_actions": [                         
         "read",                                    
         "indices:admin/get"                        
       ]                                            
     }],                                            
     "tenant_permissions": [{                       
       "tenant_patterns": [                         
       ],                                           
       "allowed_actions": [                         
       ]                                            
     }]                                             
   }                                                
   

   and

   PUT _plugins/_security/api/internalusers/USER_RO 
   {                                                
     "password": "whatever",                        
     "opendistro_security_roles": ["ROLE_RO"],      
     "backend_roles": ["ROLE_RO"],                  
     "attributes": {                                
     }                                              
   }                                                
   

3. execute GET _all with said user
4. get error

   {
     "error": {
       "root_cause": [
         {
           "type": "security_exception",
           "reason": "no permissions for [indices:admin/get] and User [name=USER_RO, backend_roles=[ROLE_RO], requestedTenant=]"
         }
      ],
       "type": "security_exception",
       "reason": "no permissions for [indices:admin/get] and User [name=USER_RO, backend_roles=[ROLE_RO], requestedTenant=]"
     },
     "status": 403
   } 
   

What is the expected behavior?
I expected to see a filtered result containing only the info for all indices matching the pattern test-read*, since the user/role has the indices:admin/getprivilege for them

What is your host/environment?

• OpenSearch 2.16 official docker image

[cwperks]

[Triage] @buddemat Thank you for filing this issue. Looks like a bug that needs to be addressed. Thank you for providing the reproduction steps.