[Follow ups] API token follow up issue

[derek-ho]

Is your feature request related to a problem?
This issue is simply a tracker to not lose issues while merging into a feature branch,

• API token support for the following situations:

There's ProtectedIndexEvaluator which uses the setting plugins.security.protected_indices.roles to define roles which can access protected indices
PrivilegeEvaluator uses mapped roles to realize the Dashboards multi tenancy implementation
User attributes exposes the mapped roles via ${user.securityRoles}, thus they can be used in DLS statements

ApiTokenIndexHandler seems to do a actionGet, i.e., a sync operation. Whenever we're on transport operations, I'd strongly recommend to prefer async operations using action listeners, as otherwise there's a slight deadlock risk due to thread pool exhaustion.

If a user has configured an auth domain with the priority -2, this will be removed in favor of the ApiTokenAuthenticator. This might be unexpected behavior.

This error message does not indicate which permission is missing. It also does not mention any other potential indices which also might have missing permissions. Thus, it is not really user friendly.

I would recommend to use the CheckTable class as it is also used by the other index privilege evaluation methods.

Collaborator
@[nibix](https://github.com/nibix) nibix [2 weeks ago](https://github.com/opensearch-project/security/pull/4992#discussion_r1928441561)
Additionally, the API contract for hasIndexPrivilege() which calls this method defines that situations where there are privileges available for sub-sets of indices are reported with a isPartiallyOk() response, combined with the set of available indices:

Can the name ctxWithUserName() be somehow refined? Considering that ctxForApiToken() also accepts a userName param, it is unclear by the name what the difference to ctxWithUserName() is.

In order to avoid the if/else constructs which are very prominent in this PR, I would recommend to extract ActionPrivileges as an interface or abstract super class, and have one implementation which deals with RoleBasedPrivilegesEvaluationContext and another implementation which deals with PermissionBasedPrivilegesEvaluationContext.

What solution would you like?
A clear and concise description of what you want to happen.

What alternatives have you considered?
A clear and concise description of any alternative solutions or features you've considered.

Do you have any additional context?
Add any other context or screenshots about the feature request here.

[derek-ho]

Create the index on node bootup if enabled, instead of wait until the first request