diff --git a/extension/apikeyauthextension/authenticator.go b/extension/apikeyauthextension/authenticator.go index 52ea5c0d..aea094ae 100644 --- a/extension/apikeyauthextension/authenticator.go +++ b/extension/apikeyauthextension/authenticator.go @@ -281,12 +281,18 @@ func (a *authenticator) Authenticate(ctx context.Context, headers map[string][]s hasPrivileges, username, err := a.hasPrivileges(ctx, authHeaderValue) if err != nil { - if elasticsearchErr, ok := err.(*types.ElasticsearchError); ok { - if elasticsearchErr.Status == http.StatusUnauthorized || elasticsearchErr.Status == http.StatusForbidden { + switch elasticsearchErr := err.(type) { + case *types.ElasticsearchError: + switch elasticsearchErr.Status { + case http.StatusUnauthorized, http.StatusForbidden: return ctx, status.Error(codes.Unauthenticated, err.Error()) + default: + return ctx, status.Errorf(codes.Internal, "error checking privileges for API Key %q: %v", id, err) } + default: + // If no ES error type is found, it implies an error on the TCP connection level. + return ctx, errorWithDetails(codes.Unavailable, fmt.Sprintf("retryable server error %q: %v", id, err), nil) } - return ctx, status.Errorf(codes.Unauthenticated, "error checking privileges for API Key %q: %v", id, err) } if !hasPrivileges { cacheEntry := &cacheEntry{ diff --git a/extension/apikeyauthextension/authenticator_test.go b/extension/apikeyauthextension/authenticator_test.go index 2aaafafe..0f053b6b 100644 --- a/extension/apikeyauthextension/authenticator_test.go +++ b/extension/apikeyauthextension/authenticator_test.go @@ -77,7 +77,7 @@ func TestAuthenticator(t *testing.T) { }, Status: 400, }), - expectedErr: `rpc error: code = Unauthenticated desc = error checking privileges for API Key "id": status: 400, failed: [a_type], reason: a_reason`, + expectedErr: `rpc error: code = Internal desc = error checking privileges for API Key "id": status: 400, failed: [a_type], reason: a_reason`, }, "auth_error": { handler: newCannedErrorHandler(types.ElasticsearchError{