Add two more tests.

Address reviews

x-pack/plugin/esql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/esql/EsqlSecurityIT.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.test.MapMatcher;
 import org.elasticsearch.test.cluster.ElasticsearchCluster;
 import org.elasticsearch.test.cluster.local.distribution.DistributionType;
@@ -221,6 +222,31 @@ public void testInsufficientPrivilege() {
         assertThat(error.getMessage(), containsString("Unknown index [index-user1]"));
     }
 
+    public void testIndexPatternErrorMessageComparison_ESQL_SearchDSL() throws Exception {
+        // _search match_all query on the index-user1,index-user2 index pattern
+        XContentBuilder json = JsonXContent.contentBuilder();
+        json.startObject();
+        json.field("query", QueryBuilders.matchAllQuery());
+        json.endObject();
+        Request searchRequest = new Request("GET", "/index-user1,index-user2/_search");
+        searchRequest.setJsonEntity(Strings.toString(json));
+        searchRequest.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("es-security-runas-user", "metadata1_read2"));
+
+        // ES|QL query on the same index pattern
+        var esqlResp = expectThrows(ResponseException.class, () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2"));
+        var srchResp = expectThrows(ResponseException.class, () -> client().performRequest(searchRequest));
+
+        for (ResponseException r : List.of(esqlResp, srchResp)) {
+            assertThat(
+                EntityUtils.toString(r.getResponse().getEntity()),
+                containsString(
+                    "unauthorized for user [test-admin] run as [metadata1_read2] with effective roles [metadata1_read2] on indices [index-user1]"
+                )
+            );
+        }
+        assertThat(esqlResp.getResponse().getStatusLine().getStatusCode(), equalTo(srchResp.getResponse().getStatusLine().getStatusCode()));
+    }
+
     public void testLimitedPrivilege() throws Exception {
         ResponseException resp = expectThrows(
             ResponseException.class,
@@ -237,6 +263,18 @@ public void testLimitedPrivilege() throws Exception {
         );
         assertThat(resp.getResponse().getStatusLine().getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
 
+        resp = expectThrows(
+            ResponseException.class,
+            () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2 METADATA _index | STATS index=VALUES(_index)")
+        );
+        assertThat(
+            EntityUtils.toString(resp.getResponse().getEntity()),
+            containsString(
+                "unauthorized for user [test-admin] run as [metadata1_read2] with effective roles [metadata1_read2] on indices [index-user1]"
+            )
+        );
+        assertThat(resp.getResponse().getStatusLine().getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+
         resp = expectThrows(
             ResponseException.class,
             () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2 | STATS sum=sum(value)")
@@ -268,7 +306,6 @@ public void testLimitedPrivilege() throws Exception {
                 "from second-alias,index-user2 METADATA _index | stats sum=sum(value), index=VALUES(_index)"
             )
         );
-        System.out.println(EntityUtils.toString(resp.getResponse().getEntity()));
         assertThat(
             EntityUtils.toString(resp.getResponse().getEntity()),
             containsString(

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityEsqlIT.java

@@ -605,6 +605,7 @@ public void testCrossClusterQueryWithOnlyRemotePrivs() throws Exception {
             )
         );
 
+        // query remote cluster only - but also include employees2 which the user does not have access to
         error = expectThrows(ResponseException.class, () -> { performRequestWithRemoteSearchUser(esqlRequest("""
             FROM my_remote_cluster:employees,my_remote_cluster:employees2
             | SORT emp_id ASC
@@ -620,6 +621,7 @@ public void testCrossClusterQueryWithOnlyRemotePrivs() throws Exception {
             )
         );
 
+        // query remote and local cluster - but also include employees2 which the user does not have access to
         error = expectThrows(ResponseException.class, () -> { performRequestWithRemoteSearchUser(esqlRequest("""
             FROM my_remote_cluster:employees,my_remote_cluster:employees2,employees,employees2
             | SORT emp_id ASC