From 04c96d5ad7df4eb00413023d336d2f5e0c2cfba3 Mon Sep 17 00:00:00 2001
From: Ryan Liang <jiallian@amazon.com>
Date: Thu, 26 Oct 2023 10:51:57 -0700
Subject: [PATCH] Refactor the cluster permission filter of service accounts

Signed-off-by: Ryan Liang <jiallian@amazon.com>
---
 .../security/privileges/PrivilegesEvaluator.java    | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index ec8374862d..1c98cebcc3 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -353,13 +353,14 @@ public PrivilegesEvaluatorResponse evaluate(
             namedXContentRegistry
         );
 
-        if (isClusterPerm(action0) && isServiceAccount(user)) {
-            presponse.allowed = false;
-            log.info("{} is a service account which as no access to cluster level permission of {}.", user, action0);
-            return presponse;
-        }
-
         if (isClusterPerm(action0)) {
+            if (isServiceAccount(user)) {
+                presponse.missingPrivileges.add(action0);
+                presponse.allowed = false;
+                log.info("{} is a service account which as no access to cluster level permission of {}.", user, action0);
+                return presponse;
+            }
+
             if (!securityRoles.impliesClusterPermissionPermission(action0)) {
                 presponse.missingPrivileges.add(action0);
                 presponse.allowed = false;