[ResponseOps][Connectors] Add authMode to connector saved objects and apis

[js-jankisalvi]

Summary

Resolves #250976

This PR introduces a new authMode attribute for connectors that allows configuring authentication modes as either shared (default) or per-user. This enables support for different authentication patterns where connectors can use:

• shared: Single set of credentials shared across all users
• per-user: Individual user credentials for personalized authentication

Note: The per-user mode is primarily intended for OAuth-based connectors where each user will authenticate with their own account. Implementing the actual per-user credential storage and OAuth flows is not part of this PR.
At this stage, both modes use the same single-credential storage. The per-user flag is a declaration of intent for future OAuth capabilities.

Key Changes

• Saved object schema: Introduced v2 schema with authMode field support
• Data migration: Model version 2 automatically backfills authMode: 'shared' for existing connectors that have config.authType set

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

Release note:

Create a connector with auth_mode attribute

[js-jankisalvi]

Addressing the question form #252064 (comment)

Is this only used to determine if a human controls the creds, to make it easier to identify, to allow them to "refresh" them? That's kinda what I get from the description of the changes, but the top level description says
new authMode attribute for connectors that allows configuring authentication modes as either shared (default) or per-user
After seeing that, I was thinking we'd be maintaining multiple sets of Secrets on a per-user basis, to use when the connector is executed. Except I know we don't really have a concept of "users" like that anyway, so seems unlikely we'd do that.
So, I just wanted to make sure this story doesn't include a multi-Secrets-per-Connector requirement. If so, I wonder if we can change the terms we're using, as I think customer's might get confused. Thinking they could use the same PagerDuty connector with different userids, or similar.

Good question :) This PR adds a new authMode attribute to connectors that serves as metadata to identify the authentication model - it does NOT implement multiple secrets per connector. We're not maintaining multiple sets of secrets on a per-user basis. It just adds two modes shared (connector uses a single set of credentials that are shared across all users/executions) and per-user (connector is intended to use user-specific credentials)
@jcger could you please help add more context if I am missing anything?

Also, is this mainly just relevant for OAuth stuff? Seems possible. If so, I think that's worth noting in the description ...

Yes, this is mainly relevant for OAuth-based connectors where we want to support per-user authorization flows in the future. Updated the PR description to avoid confusion.

[florent-leborgne]

LGTM for docs

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 36e9a9f

Failed CI Steps

• Jest Integration Tests #3
• Jest Integration Tests #3
• Check changes in Saved Objects
• Post-Build

Test Failures

• [job] [logs] Jest Integration Tests #3 / checking changes on all registered encrypted SO types detecting changes to encryption registration definitions
• [job] [logs] Jest Integration Tests #3 / checking changes on all registered encrypted SO types detecting changes to encryption registration definitions
• [job] [logs] Jest Integration Tests #3 / checking changes on all registered encrypted SO types detecting new model versions in registered encrypted types
• [job] [logs] Jest Integration Tests #3 / checking changes on all registered encrypted SO types detecting new model versions in registered encrypted types

Metrics [docs]

‼️ ERROR: no builds found for mergeBase sha [b8f0483]

History

• 💔 Build #393459 failed 36e9a9f
• 💔 Build #393027 failed 85df030
• 💔 Build #393017 failed 4958d52
• 💔 Build #392741 failed ee9986a

cc @js-jankisalvi