Respect runas auth realm for all API key security operations

[ywangd]

When user A run as user B and creates an API key, the creator realm is recorded as user B's realm. However, when retrieving or invalidating the above API key, user A's realm will be used. This creates a problem for queries with owner=true and leads to empty result set, e.g. GET -H 'es-security-runas-user: B' /_security/api_key?id=keyId&owner=true.

This feels like a bug and it is better to have consistent behaviour for how runas realm is handled for all API key security operations. But it will be a breaking change if users are relying on the current behaviour.

[elasticmachine]

Pinging @elastic/es-security (:Security/Authentication)

[albertzaharovits]

I think this is a bug in how the manage_own_api_key privilege works, because it checks ownership as if API keys are created under the realm that did the authentication, but they are actually created under the realm that did the user look-up (the realm that the user running-as is a member of).

[tvernum]

I agree. I think, on analysis, that we should call this a bug, and fix it in 7.x (soon).

As always, one person's bug fix is another person's breaking change, but I'm happy that >bug is the right call here.

[ywangd]

Reading through the ManageOwnApiKeyClusterPrivilege class, I think checkIfuserIsOwnerOfPApiKeys needs to be updated as well. Maybe it is what @albertzaharovits meant by manage_own_api_privilege. Sorry I am still trying to get my head around this area.