Mark apm_user for removal in "a future version"

[sorenlouv]

Meta issue: elastic/kibana#116760
The apm_user role was marked as deprecated in 7.13 and was supposed to be removed in 8.0 but it didn't happen. Now we are aiming to remove the role in 9.0 and are updating the deprecation message.

All mentions of apm_user role have been removed from docs and in-product mentions in elastic/kibana#132790.

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Hi @sqren, I've created a changelog YAML for you. Note that since this PR is labelled >deprecation, you need to update the changelog YAML to fill out the extended information sections.

[ywangd]

I think we should use the next major release instead of 9.0 since the major release strategy is not entirely clear. Also most places in the code use "the next major release/version", e.g.:

elasticsearch/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

Line 471 in 5b6838e

+ "will not permit mapping updates in the next major release - users who require access "

[bytebilly]

I think we should use the next major release instead of 9.0 since the major release strategy is not entirely clear.

We could be even more generic with "a future major release". It was not so uncommon that we decided to keep a deprecated feature across majors, and in that case the message may be confusing.

[sorenlouv]

I changed the deprecation notice to "This role will be removed in a future major release. Please use editor and viewer roles instead"

[ywangd]

@elasticmachine update branch

[ywangd]

@pugnascotia CI fails for this PR because it does not like the area label of deprecation. Existing ones are

elasticsearch/build-tools-internal/src/main/resources/changelog-schema.json

Lines 177 to 191 in fc09896

	"enum": [
	"Cluster and node setting",
	"Command line tool",
	"CRUD",
	"Index setting",
	"JVM option",
	"Java API",
	"Logging",
	"Mapping",
	"Packaging",
	"Painless",
	"REST API",
	"System requirement",
	"Transform"
	]

But none of them seems to fit the deprecation here which is for a builtin role. What would be your recommendation? Thanks!

[pugnascotia]

It's fine to add a new area to that last. Obviously we don't want lots and lots of areas, but if we need a another one then let's just add it. "Authorization" or "Security" would be OK, something like that.

[sorenlouv]

I dropped this but this is still something I'd like to merge.

@pugnascotia Afaict I added "Authorization" in 72b1163. Still, I'm seeing a bunch of failures.

What's the suggested way forward?

[pugnascotia]

@elasticmachine update branch

[pugnascotia]

@sqren I updated the branch but there are formatting problems. To fix them, update your local branch checkout and run:

./gradlew spotlessApply

Then commit and push. I don't believe we have automation for this at present.

Request changes have been implemented.