Introduce kibana_admin role, deprecate kibana_user and kibana_dashboard_only_userroles

[kobelb]

As Kibana has evolved, the kibana_user and kibana_dashboard_only_user role names are becoming rather confusing.

These roles are no longer the absolute minimum privileges that a user needs to access Kibana, and kibana_user is more-so the "Kibana superuser" and kibana_dashboard_only_user is a "All of Kibana read-only user". I'm less concerned with kibana_dashboard_only_user because "Feature Controls" should be making this functionality redundant; but kibana_user is my primary concern.

Since renaming this role automatically isn't feasible, the current plan is to create a kibana_admin role; and to deprecate the existing kibana_user and kibana_dashboard_only_user roles for the 7.x lifecycle. We'll need to determine the best way to denote that this role is deprecated, and warn the user that it will be removed in 8.0. Ideally, the 8.0 upgrade assistant will be able to handle the switch for us as long as the user is using the native realm. This will give the users adequate time to transition to the new role.

[elasticmachine]

Pinging @elastic/kibana-security

[kobelb]

/cc @elastic/es-security is there any precedent for renaming reserved roles without requiring manual intervention from the user to update all users in the native realm and all of the role mappings?

[clintongormley]

@kobelb What do we need the kibana_user role, going forwards? Isn't it redundant now that we have spaces?

[kobelb]

@clintongormley it's utility is a lot more limited, and there's potential that we'd want to get rid of it entirely. However, I do think it helps users get started using Kibana; otherwise, the user would be required to have the superuser role to have any access to Kibana. That's why I was initially intending to rename it to kibana_admin, because very few users in Kibana should really have this role over custom roles which grant access to different Spaces.

[jinmu03]

@clintongormley Without kibana_admin, customers(let's use customer instead of user to avoid confusion) can login as Superuser and create a new role with same access rights as Kibana_admin, and use this new role to create other roles with various Spaces access rights. By keeping the built-in Kibana_admin role, we just make customers' life a little bit easier...

[kobelb]

We were initially hoping to be able to rename these roles during the 7.0 upgrade process, but this will end up requiring manual intervention from the users, so I've updated the description to specify the new plan.

[kobelb]

/cc @AlonaNadler

[inqueue]

Users coming from pre-7.2.0 installations could really use better guidance on what to do/not to do with the kibana_user role. Filed #58245.