Add 'permission denied' handling for index access

Signed-off-by: Simeon Widdis <sawiddis@amazon.com>

Author: Swiddis

common/src/main/java/org/opensearch/sql/common/error/ErrorCode.java

@@ -40,6 +40,9 @@ public enum ErrorCode {
   /** Index or datasource not found */
   INDEX_NOT_FOUND,
 
+  /** Permission denied or insufficient privileges */
+  PERMISSION_DENIED,
+
   /** Query planning failed */
   PLANNING_ERROR,
 

integ-test/src/test/java/org/opensearch/sql/security/PPLPermissionsIT.java

@@ -613,6 +613,29 @@ public void testUserWithoutMappingPermissionCannotGetFieldMappings() throws IOEx
     }
   }
 
+  @Test
+  public void testUserWithoutMappingPermissionGetsPermissionDeniedErrorCode() throws IOException {
+    // Test that security exceptions return PERMISSION_DENIED error code, not INDEX_NOT_FOUND
+    try {
+      executeQueryAsUser(String.format("describe %s", TEST_INDEX_BANK), NO_MAPPING_USER);
+      fail("Expected security exception for user without mapping permission");
+    } catch (ResponseException e) {
+      assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
+      String responseBody =
+          org.opensearch.sql.legacy.TestUtils.getResponseBody(e.getResponse(), false);
+      JSONObject responseJson = new JSONObject(responseBody);
+
+      // Verify the error code is PERMISSION_DENIED, not INDEX_NOT_FOUND
+      assertTrue("Response should have error field", responseJson.has("error"));
+      JSONObject error = responseJson.getJSONObject("error");
+      assertTrue("Error should have code field", error.has("code"));
+      assertEquals(
+          "Security exception should return PERMISSION_DENIED error code",
+          "PERMISSION_DENIED",
+          error.getString("code"));
+    }
+  }
+
   @Test
   public void testUserWithoutSettingsPermissionCannotGetSettings() throws IOException {
     // Test that user without settings permission gets 403 error

opensearch/src/main/java/org/opensearch/sql/opensearch/client/OpenSearchNodeClient.java

@@ -99,13 +99,20 @@ public Map<String, IndexMapping> getIndexMappings(String... indexExpression) {
           .collect(
               Collectors.toUnmodifiableMap(
                   Map.Entry::getKey, cursor -> new IndexMapping(cursor.getValue())));
-    } catch (IndexNotFoundException | OpenSearchSecurityException e) {
+    } catch (IndexNotFoundException e) {
       // Re-throw directly to be treated as client error finally
       throw ErrorReport.wrap(e)
           .code(ErrorCode.INDEX_NOT_FOUND)
           .location("while fetching index mappings")
           .context("index_name", indexExpression[0])
           .build();
+    } catch (OpenSearchSecurityException e) {
+      // Re-throw with permission denied code
+      throw ErrorReport.wrap(e)
+          .code(ErrorCode.PERMISSION_DENIED)
+          .location("while fetching index mappings")
+          .context("index_name", indexExpression[0])
+          .build();
     } catch (Exception e) {
       throw new IllegalStateException(
           "Failed to read mapping for index pattern [" + indexExpression + "]", e);