Anonymous role resolution change may break stored Authentication objects

[tvernum]

In #53453 we moved the resolution of the anonymous role from authorization time to authentication time.
As a consequence, it is likely that stored Authentication headers (as used in Watcher, ML and CCR) may see a change in behaviour.

Assume a cluster with the anonymous role set to superuser .
In 7.7, if user with no other roles authenticated and created a new Watch, we would serialize an Authentication object with no roles. When the watch ran we would deserialize that object, but we would run the with superuser privileges because the AuthorizationService would add the role in automatically.

If that same Authentication object is deserialized on 7.8, it will have no roles, and will not be granted the superuser role because the anonymous role logic no longer exists in the AuthorizationService.

We intend to revert #53453 and come up with a new solution to the original problem regarding reporting of anonymous roles.

[elasticmachine]

Pinging @elastic/es-security (:Security/Authentication)

[ywangd]

First of all, changes of #53453 can be reverted cleanly on 7.8 branch.

Now after some digging, the behaviour is a bit more involved.

In 7.7, if user with no other roles authenticated and created a new Watch, we would serialize an Authentication object with no roles

1. If the user is an anonymous user, i.e. incoming request without any credentials, we would actual serialise the anonymous role. Because the authentication process recognise the anonymous user and resolves its roles before authorization. That is, if watcher is setup with an anonymous user, it will continue to work in 7.8.

2. If, however, the user is a named user with no roles, then yes the Authentication object would be serialised with no roles. If a watcher is setup this way, it will break in 7.8.

When anonymous roles are relied on to setup and execute things like watchers, it is likley that the entire cluster runs with anonymous superuser roles. As I understand it, this is userful to users for approximating a "security-less" cluster for ECE where security is always on (or troublesome to disable). This corresponds to the above scenario 1 and things would continue working for 7.8.

Scenario 2, in my opinion, is probably unlikely out there? But this is just my guess, because it does not seem to be a great use of anonymous roles. This setup also has some more difference between 7.7 and current 7.8.

• For 7.7, if a new watcher is created with anonymous roles enabled, it will stop working when anonymous roles are disabled.
• But for 7.8, if a new watcher is created with anonymous roles enabled, it will keep working when anonymous roles are disabled.
  I am not sure which behaviour is more correct. It could be they are both correct from different perspective.

So overall I think the issue is not as bad. But it is an issue nonetheless (behaviour changes including what is previously discussed). Given the revert is straightforward, I am happy to go ahead with it which also buys us some more time to think this through.

[ywangd]

Done revert (#57857) for 7.8.