Add a new API to update RCS specific API keys

[ywangd]

This PR adds a new endpoint to update RCS specific API keys. It works similarly to the existing UpdateApiKey API except:

• It requires manage_security permission
• It does not permit empty request body because it does not use limited-by model
• It takes the simplified "access" payload as the CreateCrossClusterApiKey API

Relates: #95714

[ywangd]

It is technically possible to have a bulk version of this transport action and use it for the single update REST action as well. But doing so could make auditing message look a bit weird because we differentiate beteween single and bulk update in audit events for REST API keys. So I chose to have a dedicate single update transport action and leave out bulk update transport action since we don't need it for now.

[ywangd]

Use anonymous class here to have one less class file.

[ywangd]

Adding a randomisation here which should have been part of #95714.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[n1v0lg]

I went through the production code (still need to review tests) and I'm on board with the changes, except one behavior which we have to tweak:

Currently, if an API key creates a cross cluster API key, it becomes impossible to update it. The API key can't update it because we prevent this in the ApiKeyService. The owner of the original API key can't update it either because the realm doesn't match anymore (it's set to _es_api_key on the cross cluster key on creation).

I think the simplest way to address this is to simply skip supporting derived cross cluster API keys for now (since there wasn't a strong ask for these in the first place), but wanted to also see your thoughts. Apologies for not catching this in the review of the create API! And apologies if I'm missing something and this isn't actually an issue.

[n1v0lg]

Good catch!

[n1v0lg]

Nit: I think we could collapse the two abstract methods into one, since they are only called together. Something like:

abstract void doExecuteUpdate(
    Task task,
    Request request,
    Authentication authentication,
    ActionListener<Response> listener
);

The fact that we are resolving role descriptors is arguably an implementation detail of the regular update actions; for cross cluster, we don't really resolve.

[ywangd]

Yeah one abstract method looks better. I have updated accordingly e62022c

[ywangd]

For the derived key issue, I commented on the PR of create API here #95714 (comment)

I personally think it's a separate issue since it's a known bug. Other than not updatable, it otherwise works just fine. My preference would be moving forward as is and fork a separate issue to agree on API key's identity and ownership. But please let me know if you think otherwise.

The other issue that I realised today is that we should have license check for both APIs. I'll have it as a separate PR to keep the size in control.

[n1v0lg]

For the derived key issue, I commented on the PR of create API here #95714 (comment)

Ah apologies, I missed this!

My preference would be moving forward as is and fork a separate issue to agree on API key's identity and ownership.

Since the API key does end up broken (in a surprising way), I think it would be good to either fix the bug or keep derived API keys out of scope. Totally fair to handle this outside of this PR though, and fork a separate issue 👍

The other issue that I realised today is that we should have license check for both APIs. I'll have it as a separate PR to keep the size in control.

Sounds good!

[n1v0lg]

LGTM! Sorry for the delay. Just a few smaller things and nits around tests.

[n1v0lg]

Nit: there is a bunch of extra whitespace here; lets nuke it

[n1v0lg]

Totally optional but a randomCrossClusterApiKeyAccessField() or something like that could be a nice wrapper

[ywangd]

Add suggested method to CreateCrossClusterApiKeyRequestTests and replace all occurences like this one with the new method.

[ywangd]

Thanks a lot for the thorough review and nice catches!