Specify internal and external notes when opting out of route authorization

[legrego]

Routes that out-out of authorization are required to provide a justification for doing so:

https://github.com/elastic/kibana/blob/71c0d75d76a6e4bfbc4cb5026e26982ce0a258ba/packages/core/http/core-http-server/src/router/route.ts#L178-L187

https://github.com/elastic/kibana/blob/71c0d75d76a6e4bfbc4cb5026e26982ce0a258ba/packages/core/http/core-http-router-server-internal/src/security_route_config_validator.ts#L98-L106

These justifications are designed for internal consumption, and do not provide value to external API consumers.

We should update this schema to support two types of notes:

1. The internal justification for disabling route authorization (e.g. "Route delegates authorization to the scoped ES Client")
2. An external description that allows the route author to tell consumers the required privileges (e.g. "Route requires read access to the logs-* data stream).

The internal justification should remain a required field. The new external description should be an optional field.

The new external description should be surfaced in the OAS documentation, similar to what we do for routes that have opted-in to authorization (https://github.com/elastic/kibana/pull/197001)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jeramysoucy]

@legrego Will this be complete once we update and merge https://github.com/elastic/kibana/pull/198334? Or is this intended more as a cross-team meta issue?

[legrego]

Will this be complete once we update and merge https://github.com/elastic/kibana/pull/198334? Or is this intended more as a cross-team meta issue?

@jeramysoucy neither. This is tracking an enhancement to the new security.authz interface that we expose on Core's router. It will allow teams to specify both internal and external notes when opting out of route authorization. We currently only support the former.