Security subject rebase two client

[cwperks]

Description

Companion core PR: opensearch-project/OpenSearch#16976

This PR integrates with the IdentityAwarePlugin interface introduced into core where the IdentityPlugin (effectively the security plugin) can assign a client to all IdentityAwarePlugins that's purpose is to execution actions in the context of the plugin and not the context of the authenticated user. This client is a replacement to the existing prevalent pattern across plugins that requires using ThreadContext APIs directly. i.e. Plugins will currently use try (ThreadContext.StoredContext ctx = threadContext.stashContext) { ... } for system index access. The problem with this call is that any actions run in this block are run without authz checks. There are no authz checks because stashContext nullifies the threadcontext headers which effectively removes the information that security uses to authorize actions. As its replacement, this PR introduces a RunAsClient that will inject an identity into the new context corresponding to the plugin's identity

By default, plugins can access their own system indices, but all other actions will be blocked.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Security Enhancement

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.