opensearch-project · dai-chen · May 27, 2026 · May 27, 2026 · May 27, 2026 · May 27, 2026
@@ -263,24 +263,14 @@ public void testSQLQueryAllowedForAuthorizedUser() throws IOException {
     }
   }
 
-  // TODO: The SQL endpoint (/_plugins/_sql) returns 500 instead of 403 for security exceptions.
-  // The legacy RestSqlAction error handling wraps OpenSearchSecurityException as a generic 500
-  // Internal Server Error rather than propagating the 403 Forbidden status. The authorization
-  // IS denied (query does not execute), but the HTTP status is incorrect. These tests accept
-  // either 403 or 500 until the SQL plugin's error propagation is fixed.
-
   @Test
   public void testSQLQueryDeniedForUnauthorizedUser() throws IOException {
     ResponseException e =
         assertThrows(
             ResponseException.class,
             () ->
                 executeSQLAsUser("SELECT name, age FROM " + TEST_INDEX + " LIMIT 3", DENIED_USER));
-    assertTrue(
-        "Expected 403 or 500 with security exception, got "
-            + e.getResponse().getStatusLine().getStatusCode(),
-        e.getResponse().getStatusLine().getStatusCode() == 403
-            || e.getResponse().getStatusLine().getStatusCode() == 500);
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
   @Test
@@ -291,11 +281,7 @@ public void testSQLQueryDeniedForForbiddenIndex() throws IOException {
             () ->
                 executeSQLAsUser(
                     "SELECT name, age FROM " + FORBIDDEN_INDEX + " LIMIT 3", ALLOWED_USER));
-    assertTrue(
-        "Expected 403 or 500 with security exception, got "
-            + e.getResponse().getStatusLine().getStatusCode(),
-        e.getResponse().getStatusLine().getStatusCode() == 403
-            || e.getResponse().getStatusLine().getStatusCode() == 500);
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
   @Test
@@ -306,11 +292,7 @@ public void testSQLQueryDeniedWithSearchPermissionOnly() throws IOException {
             () ->
                 executeSQLAsUser(
                     "SELECT name, age FROM " + TEST_INDEX + " LIMIT 3", SEARCH_ONLY_USER));
-    assertTrue(
-        "Expected 403 or 500 with security exception, got "
-            + e.getResponse().getStatusLine().getStatusCode(),
-        e.getResponse().getStatusLine().getStatusCode() == 403
-            || e.getResponse().getStatusLine().getStatusCode() == 500);
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
   /** Executes a PPL query via the production SQL plugin endpoint (/_plugins/_ppl). */

@@ -210,7 +210,7 @@ private void handleException(RestChannel restChannel, Exception exception) {
     reportError(restChannel, exception, status);
   }
 
-  private static RestStatus getRestStatus(Exception ex) {
+  public static RestStatus getRestStatus(Exception ex) {
     int code = getRawErrorCode(ex);
     return RestStatus.fromCode(code);
   }

@@ -264,7 +264,7 @@ protected Object buildJsonObject(ExplainResponse resp) {
               @Override
               public void onFailure(Exception e) {
                 channel.sendResponse(
-                    new BytesRestResponse(RestStatus.INTERNAL_SERVER_ERROR, e.getMessage()));
+                    new BytesRestResponse(RestSqlAction.getRestStatus(e), e.getMessage()));
               }
             });
       } else {
@@ -283,7 +283,7 @@ public void onResponse(TransportPPLQueryResponse response) {
               @Override
               public void onFailure(Exception e) {
                 channel.sendResponse(
-                    new BytesRestResponse(RestStatus.INTERNAL_SERVER_ERROR, e.getMessage()));
+                    new BytesRestResponse(RestSqlAction.getRestStatus(e), e.getMessage()));
               }
             });
       }