Upgrade Assistant should work with token based authentication

[jloleysens]

Upon receiving a request to reindex, Upgrade Assistant (UA) stores the requester's credentials in memory and uses those credentials when updating saved objects and issuing requests for other reindexing related operations.

In a token-based authentication mechanism these tokens have an expiration time that could expire before reindexing work completes causing the task to stall. With state of reindexing tracked inside of saved objects this should be recoverable but the ideal would be that no recovery is required.

At the moment there is no simple way to refresh the auth token on behalf of the requester.

See https://github.com/elastic/kibana-team/issues/1331 for a similar issue and a proposed solution.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elasticmachine]

Pinging @elastic/es-ui (Team:Elasticsearch UI)

[legrego]

This will become more of an issue now that ESS configures SAML as the default authentication experience for deployment administrators.

I don't know the specifics of the upgrade assistant, but I wonder if our solution to #104893 could improve the situation here (cc @azasypkin)

[azasypkin]

I don't know the specifics of the upgrade assistant, but I wonder if our solution to #104893 could improve the situation here (cc @azasypkin)

If the UA implementation hasn't changed since #72014 (comment) then the solution for #104893 probably won't help since we won't have access to the refresh token. Probably relying on the temporary API key (in case API keys are enabled) would be the best option.