[CI] MultiClusterSearchWithSecurityYamlTestSuiteIT #31462
Description
The following Rest IntegTest is failing:
./gradlew :x-pack:qa:multi-cluster-search-security:mixedClusterTestRunner -Dtests.seed=986EC309467F6543 -Dtests.class=org.elasticsearch.xpack.security.MultiClusterSearchWithSecurityYamlTestSuiteIT -Dtests.method="test {yaml=multi_cluster/20_info/Add transient remote cluster based on the preset cluster and check remote info}" -Dtests.security.manager=true -Dtests.locale=gu -Dtests.timezone=Pacific/Fiji -Dtests.rest.suite=multi_cluster
with
MultiClusterSearchWithSecurityYamlTestSuiteIT.test {yaml=multi_cluster/20_info/Add transient remote cluster based on the preset cluster and check remote info} <<< FAILURES!
> Throwable #1: java.lang.AssertionError: Failure at [multi_cluster/20_info:64]: expected [2xx] status code but api [search] returned [403 Forbidden] [{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/shards/search_shards] is unauthorized for user [_system]","stack_trace":"ElasticsearchSecurityException[action [indices:admin/shards/search_shards] is unauthorized for user [_system]]\n\tat org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:30)\n\tat org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:574)\n\tat org.elasticsearch.xpack.security.authz.AuthorizationService.denial(AuthorizationService.java:552)\n\tat org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:157)\n\tat org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$2(ServerTransportFilter.java:147)\n\tat org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:173)\n\tat org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:167)\n\tat org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:149)\n\tat org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$3(ServerTransportFilter.java:150)\n\tat org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)\n\tat
and does not reproduce locally, looks like a race.
Indeed _system user somehow gets to handle a shard search which is not something he has privileges for and is rightfully rejected.
The problem is to see how the _system user assigned to a search request without any Authorization header: x-pack/qa/multi-cluster-search-security/src/test/resources/rest-api-spec/test/multi_cluster/20_info.yml:L64
Note: looks similar to #30565