Create a mechanism for plugins to explicitly declare actions they need to perform with their assigned PluginSubject

[cwperks]

Description

This PR allows plugins to declare a plugin-permissions.yml file that contains a single role definition containing permissions that the plugin needs to perform with its assigned plugin subject.

This PR relates to strengthening system index access by deprecating try (ThreadContext.StoredContext ctx = threadContext.stashContext()) { ... } which allow plugins to perform any action on the cluster in that block.

With the replacement, pluginSubject.runAs(() -> { ... } plugins are only limited to system index access for system indices that they formally register with SystemIndexPlugin.getSystemIndexDescriptors().

This PR gives plugins an additional mechanism for declaring other necessary actions they need to perform with their assigned subject.

For instance, the security plugin needs to be able to write to the auditlog index even though the auditlog index is not a system index. For this usecase, the plugin would add an index_permissions: section in its plugin-permissions.yml file that allows it to create and write to indices matching the security_auditlog* pattern.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

[List any issues this PR will resolve]

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.