ES code has some specially handlings for API key authentication (by checking AuthenticationType.API_KEY). Some of these checks assume API key cannot run-as other users, which is no longer true since #79809. For example, GET _security/_authenticate does not print anonymous roles if the authentication type is API key. But this is incorrect if the API key run-as a regular user. Another example is Authentication#canAccessResourceOf which grants access if the API key is the same. But even when the API key is the same, it can run-as different users.
ES code has some specially handlings for API key authentication (by checking AuthenticationType.API_KEY). Some of these checks assume API key cannot run-as other users, which is no longer true since #79809. For example,
GET _security/_authenticatedoes not print anonymous roles if the authentication type is API key. But this is incorrect if the API key run-as a regular user. Another example isAuthentication#canAccessResourceOfwhich grants access if the API key is the same. But even when the API key is the same, it can run-as different users.