Switch security to authorise on indices rather than aliases

[elasticmachine]

Original comment by @tvernum:

We've discussed this a number of times in the past. The current approach of authorising based on aliases was an attempt to offer something a bit like DLS, prior to our proper DLS implementation.

Switching to only authorise on indices would make a lot of the code simpler, but would be a breaking change (and is complicated by license levels, aliases work in Gold, but DLS is in Platinum).

Opening this ticket as a place for discussion.

[jaymode]

This was discussed in today's team meeting. Given the complexity that alias authorization adds, we agreed that this is a breaking change we should make to remove complexity and simplify a users ability to reason about a request.