[8.18] Fixed entity-store enablement for API key saved object storage (…

…#213516) (#213542)

# Backport

This will backport the following commits from `main` to `8.18`:
- [Fixed entity-store enablement for API key saved object storage
(#213516)](#213516)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Jared
Burgett","email":"147995946+jaredburgettelastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-03-07T11:25:20Z","message":"Fixed
entity-store enablement for API key saved object storage
(#213516)\n\nWhen enabling the entity store with a non-superuser with
all required\ncredentials, it returns the following
errors:\n\n![Screenshot 2025-03-06 at 11
07\n02](https://github.com/user-attachments/assets/01b8fe73-5c7a-44aa-9b04-2c7e16a9d656)\n\nTo
fix it, we need to disable security for the saved object
client.\n\nWhile this change sounds scary (exclude security??) there are
three\nreasons I believe this is the appropriate fix:\n* [It's what
rules management/alerting/detections does for creating\ntheir
hidden/encrypted saved
objects.\n](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/alerting/server/rules_client_factory.ts#L140)I\nview
that as the canonical example for doing this kind of work.\n* Even with
this change, we actually still require the user to have\nSaved Object
Management capabilities, both in the UI (as a privilege\ncheck) and in
the init/enable routes, upstream of where we create the\nsaved object.
You can try this out yourself, the init route will fail\nwithout that
privilege.\n* We only use that particular Saved Object client in that
particular\nspot, not throughout the rest of our Saved Object
usages.\n\n### How to reproduce it\n* On main branch\n* With an empty
cluster\n* Generate data with doc generator\n* Login with 'elastic' user
and create a test role and user with\nfollowing credentials:\n* cluster,
all\n* indices, all\n* Kibana, all spaces, all\n* Open an anonymous tab
and login with the test user\n* Enable the entity store with the test
user\n\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"cfa2fb4aa89b8fc09f214a938a5a2fd58391d5f7","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"Fixed
entity-store enablement for API key saved object
storage","number":213516,"url":"https://github.com/elastic/kibana/pull/213516","mergeCommit":{"message":"Fixed
entity-store enablement for API key saved object storage
(#213516)\n\nWhen enabling the entity store with a non-superuser with
all required\ncredentials, it returns the following
errors:\n\n![Screenshot 2025-03-06 at 11
07\n02](https://github.com/user-attachments/assets/01b8fe73-5c7a-44aa-9b04-2c7e16a9d656)\n\nTo
fix it, we need to disable security for the saved object
client.\n\nWhile this change sounds scary (exclude security??) there are
three\nreasons I believe this is the appropriate fix:\n* [It's what
rules management/alerting/detections does for creating\ntheir
hidden/encrypted saved
objects.\n](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/alerting/server/rules_client_factory.ts#L140)I\nview
that as the canonical example for doing this kind of work.\n* Even with
this change, we actually still require the user to have\nSaved Object
Management capabilities, both in the UI (as a privilege\ncheck) and in
the init/enable routes, upstream of where we create the\nsaved object.
You can try this out yourself, the init route will fail\nwithout that
privilege.\n* We only use that particular Saved Object client in that
particular\nspot, not throughout the rest of our Saved Object
usages.\n\n### How to reproduce it\n* On main branch\n* With an empty
cluster\n* Generate data with doc generator\n* Login with 'elastic' user
and create a test role and user with\nfollowing credentials:\n* cluster,
all\n* indices, all\n* Kibana, all spaces, all\n* Open an anonymous tab
and login with the test user\n* Enable the entity store with the test
user\n\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"cfa2fb4aa89b8fc09f214a938a5a2fd58391d5f7"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213516","number":213516,"mergeCommit":{"message":"Fixed
entity-store enablement for API key saved object storage
(#213516)\n\nWhen enabling the entity store with a non-superuser with
all required\ncredentials, it returns the following
errors:\n\n![Screenshot 2025-03-06 at 11
07\n02](https://github.com/user-attachments/assets/01b8fe73-5c7a-44aa-9b04-2c7e16a9d656)\n\nTo
fix it, we need to disable security for the saved object
client.\n\nWhile this change sounds scary (exclude security??) there are
three\nreasons I believe this is the appropriate fix:\n* [It's what
rules management/alerting/detections does for creating\ntheir
hidden/encrypted saved
objects.\n](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/alerting/server/rules_client_factory.ts#L140)I\nview
that as the canonical example for doing this kind of work.\n* Even with
this change, we actually still require the user to have\nSaved Object
Management capabilities, both in the UI (as a privilege\ncheck) and in
the init/enable routes, upstream of where we create the\nsaved object.
You can try this out yourself, the init route will fail\nwithout that
privilege.\n* We only use that particular Saved Object client in that
particular\nspot, not throughout the rest of our Saved Object
usages.\n\n### How to reproduce it\n* On main branch\n* With an empty
cluster\n* Generate data with doc generator\n* Login with 'elastic' user
and create a test role and user with\nfollowing credentials:\n* cluster,
all\n* indices, all\n* Kibana, all spaces, all\n* Open an anonymous tab
and login with the test user\n* Enable the entity store with the test
user\n\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"cfa2fb4aa89b8fc09f214a938a5a2fd58391d5f7"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/auth/api_key.ts

@@ -15,7 +15,7 @@ import type { EncryptedSavedObjectsPluginStart } from '@kbn/encrypted-saved-obje
 import { getFakeKibanaRequest } from '@kbn/security-plugin/server/authentication/api_keys/fake_kibana_request';
 import type { EntityDiscoveryAPIKey } from '@kbn/entityManager-plugin/server/lib/auth/api_key/api_key';
 import { getSpaceAwareEntityDiscoverySavedObjectId } from '@kbn/entityManager-plugin/server/lib/auth/api_key/saved_object';
-import { SavedObjectsErrorHelpers } from '@kbn/core-saved-objects-server';
+import { SavedObjectsErrorHelpers, SECURITY_EXTENSION_ID } from '@kbn/core-saved-objects-server';
 
 export interface ApiKeyManager {
   generate: () => Promise<void>;
@@ -56,6 +56,7 @@ export const getApiKeyManager = ({
       );
 
       const soClient = core.savedObjects.getScopedClient(request, {
+        excludedExtensions: [SECURITY_EXTENSION_ID],
         includedHiddenTypes: [EntityDiscoveryApiKeyType.name],
       });