Not allowing index names in request body for multi-get/search/bulk when indices are already given in url

[wuchanghua]

Rational: Many users currently use URL-based access control to secure access to ES. For multi-search/get queries, currently the user can put the indices in the request body, which poses a challenge to the URL-based security approach.

This request is to add a feature for multi-search/get such that when index(or indices) is given in the URL, prohibiting the request body to contain the index (indices).

In this way, all request to ES can be secured via URL.

Add a flag, called rest.action.multi.allow_explicit_index that can be set in the settings/config (default to true). If set to false, will reject requests that have explicit index specified in their body.