User Account - List privileges

[kobelb]

Currently, if a user doesn't have the manage_security cluster privileges, it's hard to determine what level of access they have. This includes their cluster and index privileges in Elasticsearch, in addition to their Kibana privileges. It's difficult for a user to determine which spaces they have access to and which features they have access to in which spaces.

[elasticmachine]

Pinging @elastic/kibana-security

[legrego]

I need to resurrect this PR, but #37127 has some functionality that could be useful for this feature too. Namely the ability to call the _security/user/_privileges endpoint, and transform it into a well-formed response that Kibana can work with. This extracts/reuses the logic from the GET /api/security/roles API which transforms ES applications into role privilege definitions.

If I don't get around to #37127 soon, then we can always cherry-pick those changes out, so that this isn't blocked on that PR.

[arisonl]

Where do we want to surface this info?

[kobelb]

The original plan was to make this part of the "User Account" screen, shown below:

[sorenlouv]

Adding a big +1 for this. APM app has APIs that are being called from external (non-Kibana) services. Currently Kibana responds with 404 if the user is unauthorised to see the resource (even if the user is authenticated).
If the endpoint itself cannot provide insights into whether the user may access it, there should be an API where the service can make a preliminary request to inquire whether their privileges are sufficient.