REST API changes for manage-own-api-key privilege

[bizybot]

This commit adds a flag that can be set to true if the
API key request (Get or Invalidate) is for the API keys owned
by the currently authenticated user only.
These only interface changes and once the actual cluster privilege
manage_own_api_key is done, we will have another PR to make the
interface work.

The Get API behavior would be:

• when owner is set to true
GET /_security/api_key?id=abcd&owner=true
  the Rest controller will take care of setting realm_name and username to the
  values for the authenticated user and only return results if it finds one owned by
  the currently authenticated user.

• when owner is set to false (default)
  GET /_security/api_key?id=abcd
  the Rest controller will assume realm_name and username to be unspecified
  meaning it will try to search for the API key across users and realms.
  This will fail if the user has only manage_own_api_key privilege.

Similarly, for Delete API key behavior:

• when owner is set to true
DELETE /_security/api_key

  {
    "id" : "VuaCfGcBCdbkQm-e5aOx",
    "owner": "true"
  }
  

  the Rest controller will take care of setting realm_name and username to the values
  for the authenticated user and only invalidate key if it finds one owned by
  the currently authenticated user.

• when my_api_keys_only is set to false (default)
  DELETE /_security/api_key

  {
    "id" : "VuaCfGcBCdbkQm-e5aOx",
    "owner": "false"
  }
  

  the Rest controller will assume realm_name and username to be unspecified meaning it will
  try to search for the API key across users and realms. This will fail if the user has only
  manage_own_api_key privilege.

TODO:

• HLRC changes - these will be done in a separate PR
• Actual enforcement of my_api_keys_only in a separate PR

Relates #40031

[elasticmachine]

Pinging @elastic/es-security

[albertzaharovits]

LGTM save for the lack of version guards.

[bizybot]

Connection to 127.0.0.1 closed by remote host.
@elasticmachine run elasticsearch-ci/1 elasticsearch-ci/packaging-sample

[bizybot]

@elasticmachine run elasticsearch-ci/packaging-sample

[tvernum]

Did you consider alternatives for the parameter name? I don't love it (it's a bit verbose), but I don't want to go back over old ground if you've worked through a bunch of options already.

I would think that owned=true would be fine.

[bizybot]

Did you consider alternatives for the parameter name? I don't love it (it's a bit verbose), but I don't want to go back over old ground if you've worked through a bunch of options already.

I would think that owned=true would be fine.

I did consider but went with verbose as the intent was clear with the name, I agree it is too verbose now that I look at it. I like owned but by whom is not clear. Is it okay as the documentation for the API would have that information or do we want to be little more specific like owned_by_me instead? Thank you for your comments.

[tvernum]

I'm personally not that worried about whether the meaning of the parameter is 100% obvious from its name - we have docs.
I'm OK with owned_by_me but we could do own=true or owner=true if they seemed clear enough to you.

[tvernum]

I didn't get to finish my review, but I left some comments...

[bizybot]

could not download artifacts
@elasticmachine run elasticsearch-ci/packaging-sample

[bizybot]

@elasticmachine run elasticsearch-ci/1

[codebrain]

@bizybot - PR looks good, we had to patch the REST API specification to add the "owner" flag. I will open an issue for this.

[codebrain]

#48499