Support viewing API key privileges

[ywangd]

Today the privileges of an API key cannot be viewed after its creation[^1]. The alternative is to check its privileges with the HasPrivileges API. This is useful for authorization purpose but not helpful in terms of management and audit etc. API keys are now updatable (since #88186). Since each update can potentially alter both the key's assigned descriptors (role_descriptors) and the captured owner user's permissions (limited_by_role_descriptors). It has become even harder to accurately know about an API key's privileges at any point of time. Hence the recommendation is to add support for viewing API key privileges with relevant APIs. The proposed work items are as the follows:

• [x] Return role_descriptors by default in GetApiKey API. (no change to the privilege model around it)
• [ ] Optionally return limited_by_role_descriptors in GetApiKey API when (1) a limited_by query parameter is specified and (2) the authenticating subject is the owner of the API or has manage_api_key (or higher) privilege.
• [ ] Update GetUserPrivileges API to return error 400 (instead of the current 500) when call with API keys and advise users to use the GetApiKeyAPI
• [ ] Update QueryApiKey API to have similar support for role_descriptors and limited_by_role_descriptors.
• [ ] REST specs, YAML tests, Docs

[^1]: It is possible to retrieving the backing document of an API key by directly reading the security index. But directly accessing security index is generally discouraged.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)