[Write restricted SOs] Allow creation, update, delete and transfer ownership (elastic#224411)

Closes elastic#221753

----

> [!IMPORTANT]  
> To support requirements, this feature is restricted to SO types that
are `multiple` and `multiple-isolated` namespace types only.

----

## Summary

Summarize your PR. If it involves visual changes include a screenshot or
gif.

- **Change Ownership Endpoints**: Adds server-side logic, client
methods, and repository support to transfer object ownership.

- **Extended Create Options** : Allow specifying `accessMode:
'read_only'` when creating an object.

- **Security & Authorization**: Integrates with the security extension
to enforce owner-based restrictions.

- **Mappings & Migrations**: Elasticsearch mappings and migrations
updated to persist `accessControl`.

- **Tests**: New FTR integration tests and a dedicated test plugin for
read-only object scenarios.



## Ownership-Based Authorization Logic 

All ownership checks are now centralized in 
`SavedObjectsAccessControlService.enforceAccessControl(operation,
args…)`.
The general flow is:

1. **Load existing object** to read its `accessControl` metadata.  
2. **Determine required privilege** based on the operation:  
   - `create`  
   - `read`  
   - `modify` (covers both update & delete)  
   - `changeOwnership`  
3. **If** `object.accessControl.accessMode === 'read_only'`, **also
enforce** `user === object.accessControl.owner`.
4. **Always** verify the caller holds the corresponding privilege.  

| Operation | Privilege Key | Read-Only Constraint | Notes |

|-----------------------|-----------------------|---------------------------------|----------------------------------------------------------|
| **Create** | `create` | Must supply `accessControl.owner` |
`accessControl.accessMode` passed in create options |
| **Read** | `read` | N/A | Falls back to standard read privileges |
| **Modify** (update/delete) | `modify` | Caller must be the current
owner or admin | Single hook for both update & delete |
| **Change Ownership** | `changeOwnership` | Caller must be the current
owner or admin| Performs a preflight multi-get, then bulk-updates owner
based on result |


## Assumptions
1. Update operations will not support changing accessControl metadata.
2. Updates (and in turn upserts) will also not allow objects to be
created as write restricted types. We throw an error and ask the
consumer to use `create` instead.
3. Bulk Delete operations will behave as expected with the new changes.
Superusers/owners can bulk delete objects. Non-owners cannot bulk delete
objects that are in write restricted mode. (Assuming that they otherwise
have the permission to do so)
4. Bulk delete with `force` option works the same way. 



## Expected behavior of SOR operations
All operations in the SOR on accessControl types follow the same rules.
After the existing RBAC rules for these operations, for a user to be
granted permission to perform an action on an SO Type supporting access
control, they must be superuser or owner of the object.

1. Create
Objects supporting access control will be created with the accessControl
metadata as follows:
`owner`: User profile ID of creating user
`accessMode`: `read_only` | `default` based on the incoming option

If objects supporting access control are created with no access control
metadata, then they are created just as they are today - no change to
how that object type will function.

2.  Read
No changes to read. Must have RBAC granted access for SOs. 

3. Update
Update operations will not support changing accessControl metadata.
Updates (and in turn upserts) will also not allow objects to be created
as write restricted types. We throw an error and ask the consumer to use
`create` instead. Updates are restricted by the access control rules
stated above

4. Delete
Delete operations will be allowed/disallowed based on the rules above.

6. Bulk update
Objects supporting access control but not owned by the current user
(unless superuser) will not be updated in this operation.

7. Bulk delete
Bulk delete (with and without the force option) work the same way. If an
object in the payload is of a type supporting access control, then the
rules will be the same. We will allow delete only if the user is a
superuser or owner of said object - all other instances will be
rejected.

8. Delete by namespace
Delete by namespace is a workaround for bulk deleting all objects in a
space. This function isn't exposed on the SO client but rather used on
the repository which is used by the SpacesClient to be able to delete
_all_ objects in a space. For users with a role granting this
permission, we will continue to allow them to do so even if there are
objects owned by others in that space. This is product decision based on
the Editor role being granted this privilege and if removed, would be
considered a breaking change that's out of the scope of this project.

Misc: 
Saved objects like dashboards that are shareable across spaces have the
same rules assigned to them. A user cannot update/delete a dashboard in
a space where they might have RBAC access but don't own said dashboard.

## How to test
Since there's no associated UI changes in this PR, you can use the test
`read only objects` plugin to test behavior of the different flows.

Start the plugin in the integration test as:

```
node scripts/functional_tests_server --config x-pack/platform/test/spaces_api_integration/read_only_objects/config.ts
```

Once done, you can open Kibana on `localhost:5620` and set up a simple
user with this role: `kibana_savedobjects_editor`. For your tests you
can use three users:
1. elastic:changeme `superuser`
2. test_user:changeme `non-superuser`
3. The user just created above with role `kibana_savedobjects_editor`

With each of these users, you can try the following calls in Dev Tools

1. Create a read only object / non-read only
```
POST kbn:/read_only_objects/create
{"isReadOnly": true} // switch to false if creating regular SO type
```
Creates and responds with an object owned by the creating user. Using
the ID in the response, you can now perform the different operations and
verify how access control works

You can run
```
GET kbn:/read_only_objects/<ID>
```
at any time to see the current shape of the object including the access
control metadata

2. Updates - Run this as admin/owner/non-owner to test and verify the
different responses
```
PUT kbn:/read_only_objects/update
{
  "objectId": "<ID FROM CREATE>",
  "type": "read_only_type"
}
```


3. Delete - Run this as admin/owner/non-owner to test and verify the
different responses
```
DELETE kbn:/read_only_objects/<ID FROM CREATE>
```

4. Bulk delete - Run this as admin/owner/non-owner to test and verify
the different responses
```
POST kbn:/read_only_objects/bulk_delete
{
  "objects": [
    {
      "id": "<ID1>",
      "type": "read_only_type"
    },
    {
      "id": "<ID2>",
      "type": "read_only_type"
    },
    // ...
  ]
}
```

5. Bulk delete with force - same as above with force option
```
POST kbn:/read_only_objects/bulk_delete
{
  "force": true,
  "objects": [
    {
      "id": "<ID1>",
      "type": "read_only_type"
    },
    {
      "id": "<ID2>",
      "type": "read_only_type"
    },
    // ...
  ]
}
```


## Note for reviewers:
- There are a lot of changes owned by the core team. Although most of
the authz and ownership changes are in the security extension owned by
Kibana platform security, surfacing these APIs to the SO client touches
a lot of interfaces owned by core.

### Follow up tasks
We have a few different follow up tasks documented on
elastic#230991


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)


### Identify risks
Risk matrix attached on parent PR:
elastic#224552 (comment)

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Aleh Zasypkin <[email protected]>
Co-authored-by: Christiane (Tina) Heiligers <[email protected]>
Co-authored-by: “jeramysoucy” <[email protected]>

Author: 7 people

.buildkite/ftr_platform_stateful_configs.yml

@@ -334,6 +334,7 @@ enabled:
   - x-pack/platform/test/spaces_api_integration/security_and_spaces/config_basic.ts
   - x-pack/platform/test/spaces_api_integration/security_and_spaces/config_trial.ts
   - x-pack/platform/test/spaces_api_integration/spaces_only/config.ts
+  - x-pack/platform/test/spaces_api_integration/read_only_objects/config.ts
   - x-pack/platform/test/task_manager_claimer_update_by_query/config.ts
   - x-pack/platform/test/ui_capabilities/security_and_spaces/config.ts
   - x-pack/platform/test/ui_capabilities/spaces_only/config.ts

.github/CODEOWNERS

@@ -1081,6 +1081,7 @@ x-pack/platform/test/security_api_integration/plugins/oidc_provider @elastic/kib
 x-pack/platform/test/security_api_integration/plugins/saml_provider @elastic/kibana-security
 x-pack/platform/test/security_api_integration/plugins/user_profiles_consumer @elastic/kibana-security
 x-pack/platform/test/security_functional/plugins/test_endpoints @elastic/kibana-security
+x-pack/platform/test/spaces_api_integration/common/plugins/read_only_objects_test_plugin @elastic/kibana-security
 x-pack/platform/test/spaces_api_integration/common/plugins/spaces_test_plugin @elastic/kibana-security
 x-pack/platform/test/task_manager_claimer_update_by_query/plugins/sample_task_plugin_mget @elastic/response-ops
 x-pack/platform/test/ui_capabilities/common/plugins/foo_plugin @elastic/kibana-security

package.json

@@ -817,6 +817,7 @@
     "@kbn/react-kibana-context-theme": "link:src/platform/packages/shared/react/kibana_context/theme",
     "@kbn/react-kibana-mount": "link:src/platform/packages/shared/react/kibana_mount",
     "@kbn/react-mute-legacy-root-warning": "link:src/platform/packages/private/kbn-react-mute-legacy-root-warning",
+    "@kbn/read-only-objects-test-plugin": "link:x-pack/platform/test/spaces_api_integration/common/plugins/read_only_objects_test_plugin",
     "@kbn/recently-accessed": "link:src/platform/packages/shared/kbn-recently-accessed",
     "@kbn/reindex-service-plugin": "link:x-pack/platform/plugins/private/reindex_service",
     "@kbn/remote-clusters-plugin": "link:x-pack/platform/plugins/private/remote_clusters",

src/core/packages/saved-objects/api-server-internal/src/lib/apis/bulk_create.test.ts

@@ -19,7 +19,10 @@ import {
 
 import type { Payload } from '@hapi/boom';
 
-import type { SavedObjectsBulkCreateObject } from '@kbn/core-saved-objects-api-server';
+import type {
+  SavedObjectAccessControl,
+  SavedObjectsBulkCreateObject,
+} from '@kbn/core-saved-objects-api-server';
 import {
   type SavedObjectsRawDoc,
   type SavedObjectUnsanitizedDoc,
@@ -58,6 +61,7 @@ import {
 } from '../../test_helpers/repository.test.common';
 import type { ISavedObjectsSecurityExtension } from '@kbn/core-saved-objects-server';
 import { savedObjectsExtensionsMock } from '../../mocks/saved_objects_extensions.mock';
+import type { AuthenticatedUser } from '@kbn/core-security-common';
 
 // so any breaking changes to this repository are considered breaking changes to the SavedObjectsClient.
 
@@ -1086,6 +1090,244 @@ describe('#bulkCreate', () => {
           })
         );
       });
+
+      describe('access control', () => {
+        const CURRENT_USER_PROFILE_ID = 'current_user_profile_id';
+        const READ_ONLY_TYPE = 'read-only-type';
+
+        beforeEach(() => {
+          securityExtension.getCurrentUser.mockReturnValue({
+            authentication_realm: {
+              name: 'authentication_realm',
+              type: 'authentication_realm_type',
+            },
+            lookup_realm: {
+              name: 'lookup_realm',
+              type: 'lookup_realm_type',
+            },
+            authentication_provider: {
+              name: 'authentication_provider',
+              type: 'authentication_provider_type',
+            },
+            authentication_type: 'realm',
+            elastic_cloud_user: false,
+            profile_uid: CURRENT_USER_PROFILE_ID,
+          } as AuthenticatedUser);
+        });
+
+        registry.registerType({
+          name: READ_ONLY_TYPE,
+          hidden: false,
+          namespaceType: 'multiple-isolated',
+          supportsAccessControl: true,
+          mappings: {
+            dynamic: false,
+            properties: {
+              description: { type: 'text' },
+            },
+          },
+          management: {
+            importableAndExportable: true,
+          },
+        });
+
+        afterEach(() => {
+          securityExtension.getCurrentUser.mockClear();
+        });
+
+        it('applies access control options only to applicable types', async () => {
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+          const obj2AccessControl = {
+            type: READ_ONLY_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl], {
+            accessControl: { accessMode: 'read_only' },
+          });
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
+            expect.objectContaining({
+              objects: expect.arrayContaining([
+                {
+                  type: 'config',
+                  id: '6.0.0-alpha1',
+                  name: 'Test One',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for non-supporting type
+                },
+                {
+                  type: READ_ONLY_TYPE,
+                  id: 'has-read-only-metadata',
+                  name: 'Test Two',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  accessControl: {
+                    owner: CURRENT_USER_PROFILE_ID,
+                    accessMode: 'read_only',
+                  },
+                },
+              ]),
+            })
+          );
+        });
+
+        it('overrides access control options with incoming object property only for applicable types', async () => {
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+            accessControl: {
+              accessMode: 'read_only',
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          const obj2AccessControl = {
+            type: READ_ONLY_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+            accessControl: {
+              accessMode: 'default', // default === RBAC-only
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          const obj3AccessControl = {
+            type: READ_ONLY_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Three' },
+            references: [{ name: 'ref_0', type: 'test', id: '3' }],
+          };
+          await bulkCreateSuccess(
+            client,
+            repository,
+            [obj1NoAccessControl, obj2AccessControl, obj3AccessControl],
+            {
+              accessControl: { accessMode: 'read_only' },
+            }
+          );
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
+            expect.objectContaining({
+              objects: expect.arrayContaining([
+                {
+                  type: 'config',
+                  id: '6.0.0-alpha1',
+                  name: 'Test One',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for non-supporting type
+                },
+                {
+                  type: READ_ONLY_TYPE,
+                  id: 'has-read-only-metadata',
+                  name: 'Test Two',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  accessControl: {
+                    owner: CURRENT_USER_PROFILE_ID,
+                    accessMode: 'default', // explicitly confirm the mode is overriden
+                  },
+                },
+                {
+                  type: READ_ONLY_TYPE,
+                  id: 'has-read-only-metadata',
+                  name: 'Test Three',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  accessControl: {
+                    owner: CURRENT_USER_PROFILE_ID,
+                    accessMode: 'read_only', // explicitly confirm the mode is NOT overriden
+                  },
+                },
+              ]),
+            })
+          );
+        });
+
+        it('does not create objects with access control when there is no active user profile', async () => {
+          securityExtension.getCurrentUser.mockReturnValueOnce(null);
+
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+          const obj2AccessControl = {
+            type: READ_ONLY_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl], {
+            accessControl: { accessMode: 'read_only' },
+          });
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
+            expect.objectContaining({
+              objects: expect.arrayContaining([
+                {
+                  type: 'config',
+                  id: '6.0.0-alpha1',
+                  name: 'Test One',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for non-supporting type
+                },
+              ]),
+            })
+          );
+        });
+
+        // regression test
+        it('creates objects supporting access control with no access control metadata when there is no active user profile and no access mode is provided', async () => {
+          securityExtension.getCurrentUser.mockReturnValueOnce(null);
+
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+          const obj2AccessControl = {
+            type: READ_ONLY_TYPE,
+            id: 'could-have-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl]); // no accessControl options
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
+            expect.objectContaining({
+              objects: [
+                {
+                  type: 'config',
+                  id: '6.0.0-alpha1',
+                  name: 'Test One',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for non-supporting type
+                },
+                {
+                  type: READ_ONLY_TYPE,
+                  id: 'could-have-read-only-metadata',
+                  name: 'Test Two',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for supporting type
+                },
+              ],
+            })
+          );
+        });
+      });
     });
   });
 });