Actually you should not see that message, unless your incorrect credentials have been matched by an ACL block that does not carry user identity information.
One of the classic pitfalls is to have a “catch all” ACL block with “hosts” rule in the bottom of the ACL.
Simple try: try and log in again, but this time observe the Elasticsearch logs, and it won’t show “FORBIDDEN” when you put wrong credentials. It will say ALLOWED by
You have a point @praveenmak. I guess we could reject login attempts (user metadata API request) with an eloquent error message when there is no info about a user in the matched ACL block (i.e. an ACL block with hosts rule alone).