spinning this out of
Wrt the REJECTED + UNAUTHORIZED events I see the same as you, and I believe there is a code bug, not a test bug. In HttpSolrCall#471 in the authorize() call, if authResponse == PROMPT, it will actually match both blocks and emit two audit events: https://github.com/apache/lucene-solr/blob/26ede632e6259eb9d16861a3c0f782c9c8999762/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L475:L493
When code==401, it is also true that code!=200. Intuitively there should be both a sendErrora and return RETURN before line #484 in the first if block?
This causes any and all REJECTED AuditEvent messages to be accompanied by a coresponding UNAUTHORIZED AuditEvent.
It's not yet clear if, from the perspective of the external client, there are any other bugs in behavior (TBD)