[ML] [Transforms] fix transform _start permissions to use stored headers in the config (#86802)

It was previously required that the _start API caller required the same roles as the create API caller. This does not make sense as when the transform is actually running (after _start) we rely solely on the roles of the caller who created the transform. Consequently, this commit does the permission validations and various checks with the roles of user who created the transform, not the one calling _start
2025-04-24 23:27:25 -04:00 · 2022-05-16 09:10:01 -04:00 · 2022-05-16 09:10:01 -04:00 · 88a5da9560
commit 88a5da9560
parent 480abeaa9d
7 changed files with 49 additions and 37 deletions
--- a/docs/reference/transform/apis/start-transform.asciidoc
+++ b/docs/reference/transform/apis/start-transform.asciidoc
@ -21,9 +21,6 @@ Requires the following privileges:

 * cluster: `manage_transform` (the `transform_admin` built-in role grants this
  privilege)
-* source indices: `read`, `view_index_metadata`.
-* destination index: `read`, `create_index`, `index`. If a `retention_policy` is configured, the `delete` privilege is
-  also required.

 [[start-transform-desc]]
 == {api-description-title}