auth: enable multiple rules per API key

[CreMindES]

Summary

At the moment, each key have a list of indexes and the associated set of actions, but there is no way to specify multiple selective associations for a single key.

Example use case

Multiple services want to access each other's indexes, but each service should only be able to modify their own.

This is currently only possible with two keys, one general search key that has access to a number of indexes and one that only allows full read-write access to the service's "own" indexes.
This results in either having to write a single wrapper around the two API clients or having 2 instances of it.

Possible solution

It would be nice to be something like the following, or something equivalent in terms of DX.

{
    "name": "Default Search API Key",
    "description": "Use it to search from the frontend",
    "key": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
    "uid": "123-345-456-987-abc",
    "rules": [
        {
            "actions": [
                 "search"
            ],
            "indexes": [
                  "*"
            ],
        },
        {
            "actions": [
                   "*"
            ],
            "indexes": [
                  "service_x_*", "special_shared_index"
            ],
        }
    ]
    "expiresAt": null,
    "createdAt": "2024-01-25T16:19:53.949636Z",
    "updatedAt": "2024-01-25T16:19:53.949636Z"
},

instead of the current single index set - action set association.

{
    "name": "Default Search API Key",
    "description": "Use it to search from the frontend",
    "key": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
    "uid": "123-345-456-987-abc",
    "actions": [
        "search"
    ],
    "indexes": [
        "*"
    ],
    "expiresAt": null,
    "createdAt": "2024-01-25T16:19:53.949636Z",
    "updatedAt": "2024-01-25T16:19:53.949636Z"
}

[macraig]

Hi @CreMindES , thank you for taking the time to explain your request. You're right about the current limitations. At the moment, you can only manage different actions and indexes by using separate API keys.

We appreciate the insight into how this feature could enhance flexibility and efficiency for managing access across services. We will keep this discussion open for further comments and upvotes from the community to gather more feedback on this potential improvement.