Security: add create api key transport action

[jaymode]

In order to support api keys for access to elasticsearch, we need the
ability to generate these api keys. A transport action has been added
along with the request and response objects that allow for the
generation of api keys. The api keys require a name and optionally
allow a role to be specified which defines the amount of access the key
has. Additionally an expiration may also be provided.

This change does not include the restriction that the role needs to be
a subset of the user's permissions, which will be added seperately. As
it exists in this change, the api key is currently not usable which is
another aspect that will come later.

Relates #34383

[elasticmachine]

Pinging @elastic/es-security

[jaymode]

@tvernum @jkakavas this is ready for review again

[tvernum]

There's 1 issue about still indexing the api key.
The other comments are suggestions that you can take or leave as you wish.

[tvernum]

Should we have any other restrictions on names?
I feel like starting or ending in whitespace is likely to cause confusion, and perhaps we should reserve names start with _ just in case we need them in the future?

[jaymode]

Added those restrictions

[tvernum]

I guess it depends on how this gets used in the future, but we may need to think about how we deal with realm names, and their potential to change over time.
In particular, out-of-the-box we have "default_file" and "default_native", but once someone adds another realm (e.g. LDAP), they tend to not use "default_native" as the name of their native realm (because we don't tell them to).

[jaymode]

The reason behind storing the realm is based on the invalidation api and being able to invalidate by realm. It really stinks that we don't have a way to enforce realm name consistency between nodes

[jkakavas]

LGTM, thanks for the iterations !

[jkakavas]

nit but maybe xpack.security.authc.api_key_hashing.algorithm makes more sense ( consistent with xpack.security.authc.password_hashing.algorithm ) ? Naming is hard and I don't have strong opinions

[jaymode]

Sure I'll be consistent

[jaymode]

We definitely need to think about how we expect administrators to handle existing api-keys when a user's privileges are downgraded.

This is tricky. Maybe we provide an API for an administrator to validate permissions against a set of role names for a given user? We don't keep a record of what a users roles are, so I do not think we can do this automatically unless we have shadow users. Maybe something like:

POST /_xpack/security/api_key/_check_permissions
{
        "username": "tvernum",
        "roles": [ ]
}

[tvernum]

👍