[ML] Adds option to Reauthorize transform in Management page

[qn895]

Summary

Part of #151186. Follow up of #154665. This PR adds the ability to Reauthorize transforms with a secondary authorization so that it can start operating correctly.

If the transform was originally created with insufficient permission

• It will be created successfully, but fail to start, and show a warning:

• It will show an option to Reauthorize transform for both individual and bulk:
  
  
  

• Reauthorizing transform will create an API key using the user's credential, call transform/_update with the es-secondary-authorization: 'ApiKey {encoded_api_key} in the headers, and start the transform.

If the transform was originally created with sufficient permission:

• No Reauthorize option will be shown:
  

This PR also updates the behavior of the tooltip message when a bulk action should be disabled.

WIP:

• API integration test
• Functional test (follow up PR)

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[qn895]

@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/ml-ui (:ml)

[walterra]

You could do isPopulated(arg, ['api_key', 'encoded']) && typeof arg.encoded === string here.

[qn895]

Updated here 3f64b1f (#154736)

[walterra]

Type suer -> user

[qn895]

Updated here 3f64b1f (#154736)

[walterra]

Can we keep the type exports here or is there a reason to remove them?

[qn895]

Updated here 3f64b1f (#154736)

[peteharverson]

@szabosteve @lcawl is it common practice to mention specific cluster privileges that are required? Wondering as in other places we aren't so specific:

[szabosteve]

After a quick check, I found that although we rarely mention specific cluster privileges in the UI, there is precedent for doing it, for example in the APM app when you don't have the correct privileges to create anomaly detection jobs. While there is precedent, I would go without mentioning the privileges specifically. The docs mention the correct privileges and we consider them as the source of truth, so it might make sense to keep only the docs up-to-date – even if the name of the privileges is unlikely to change.
@peteharverson @lcawl WDYT?

Suggested change

	'This transform was created with insufficient permissions. You must have manage_transform cluster privileges to reauthorize and start it.',
	'This transform was created with insufficient permissions. Contact your administrator to request the required privileges.',

[peteharverson]

+1 to your suggestion @szabosteve to not mention the privileges specifically.

[qn895]

Updated here (1a8969a)

[lcawl]

Yup, that's even better, thanks!

[peteharverson]

Tested with your example Host Risk Score packages and overall looks good.

A couple of the warning messages probably need a further edit.

[peteharverson]

This message should be adjusted if logging in as a user with the correct permissions, otherwise it gives the impression that the current user does not have the required permissions.

Something along the lines of

This transform was installed by a user who did not have the permissions required to run it. Select Reauthorize in the Actions menu to reauthorize.

(too many 'reauthorize's! Any suggestions @szabosteve ?

[szabosteve]

How about This transform was installed by a user who did not have the permissions required to run it. Reauthorize it in the Actions menu.?

In the case of the user without proper permissions, I propose to use the following: This transform was created with insufficient permissions. Contact your administrator to request the required permissions. So we can use a single term instead of permissions and privileges.

(I don't use suggesting mode because it would be more confusing.)

[qn895]

Updated here 1775dd0 (#154736)

For when user has permissions:

[peteharverson]

As above, this message should be adjusted if logging back in as a user with the correct permissions.

Nit - the text refers to both 'permissions' and 'privileges'. Should we use a single term here @szabosteve?

[szabosteve]

We can use the same string as above if the user has correct permissions: A transform was installed by a user who did not have the permissions required to run it. Reauthorize it in the Actions menu.

In the case of the user without proper permissions, I propose to use the following: This transform was created with insufficient permissions. Contact your administrator to request the required permissions. So we can use a single term instead of permissions and privileges.

(I don't use suggesting mode because it would be more confusing.)

[qn895]

Updated here 1775dd0 (#154736)

[peteharverson]

Latest text edits LGTM.

[walterra]

Latest changes code LGTM.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 6d9a641

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
transform	318	325	+7

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
transform	376.3KB	383.0KB	+6.8KB

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
securitySolution	394	397	+3

Total ESLint disabled count

id	before	after	diff
securitySolution	474	477	+3

History

• 💛 Build #121618 was flaky b539864
• 💛 Build #121356 was flaky 5329239
• 💛 Build #120358 was flaky 1a8969a
• 💛 Build #120129 was flaky c44929b
• 💔 Build #120125 failed 9e73407
• 💛 Build #119432 was flaky 84b9ad3

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @qn895