Allow kibana_system to create and invalidate API keys on behalf of other users

[peterschretlen]

This change adds the following privileges to the kibana_system role:

• grant_api_key recently added in Add "grant_api_key" cluster privilege #53527
• api_key/invalidate

This is to support alerting on Kibana, which uses API keys to run scheduled background alert checks on a user's behalf as described in #48716 (comment)

Related: elastic/kibana#49398

[elasticmachine]

Pinging @elastic/es-security (:Security/Authorization)

[peterschretlen]

Related PR on Kibana side: elastic/kibana#60423

[peterschretlen]

Tested locally to confirm the roles are added and working as expected.

kibana_system role includes grant_api_key and api_key/invalidate

$ curl -k -s -u elastic:changeme https://localhost:9200/_security/role/kibana_system | jq .kibana_system.cluster
[
  "monitor",
  "manage_index_templates",
  "cluster:admin/xpack/monitoring/bulk",
  "manage_saml",
  "manage_token",
  "manage_oidc",
  "cluster:admin/xpack/security/api_key/invalidate",   <---- added
  "grant_api_key",                                     <---- added
  "cluster:admin/xpack/security/privilege/builtin/get",
  "delegate_pki",
  "cluster:admin/ilm/get",
  "cluster:admin/ilm/put",
  "cluster:admin/analyze"
]

kibana user has kibana_system role:

 $ curl -k -s -u elastic:changeme  https://localhost:9200/_security/user/kibana | jq -c .kibana.roles
["kibana_system"]

kibana user can invalidate API key:

# create key for elastic user
$ curl -k -s -u elastic:changeme -H content-type:application/json -d '{ "name":"my-key" }'  https://localhost:9200/_security/api_key | jq .
{
  "id": "IEFY9HABM4_s1PGvY_DW",
  "name": "my-key",
  "api_key": "2VVEhxpRSwqq3PV3clHGZg"
}
# kibana user invalidates key
$ curl -k -s -u kibana:changeme -H content-type:application/json -XDELETE -d '{ "name":"my-key" }' https://localhost:9200/_security/api_key | jq .
{
  "invalidated_api_keys": [
    "IEFY9HABM4_s1PGvY_DW"
  ],
  "previously_invalidated_api_keys": [],
  "error_count": 0
}

kibana user can grant key:

# kibana grants key for elastic user
$ curl -k -s -u kibana:changeme -H content-type:application/json -d '{ "grant_type":"password", "username":"elastic", "password":"changeme" }' https://localhost:9200/_security/api_key/grant | jq .
{
  "id": "HEFi9HABM4_s1PGvv_GA",
  "name": null,
  "api_key": "1XI-g2IWRseli9E3G3yazg"
}

# list keys for elastic user
$ curl -k -s -u elastic:changeme https://localhost:9200/_security/api_key?username=elastic | jq .
{
  "api_keys": [
    {
      "id": "HEFi9HABM4_s1PGvv_GA",
      "name": null,
      "creation": 1584648077171,
      "invalidated": false,
      "username": "elastic",
      "realm": "reserved"
    }
  ]
}

[legrego]

Thanks Peter! The additional privileges look good to me. Can we also update the existing test to ensure the kibana_system role can perform these actions?

elasticsearch/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

Line 298 in 9074215

public void testKibanaSystemRole() {

[tvernum]

Thanks @peterschretlen I was off sick at the end of last week, and was just about to pick this up when I saw you had done it.

[tvernum]

LGTM