Only migrate role permissions that exist on the destination

Problem/Motivation

Permissions from contrib modules are migrated "as is" from Drupal 7 even if there is no Drupal 9 module providing the given permission. These permissions appear in the yaml file exports for each role, but do not appear in the UI, and there's no way to clean these up except by scanning through the file to manually remove them from each role, then run configuration import to delete from the database.

Steps to reproduce:

1) Drupal 7 site contains backup_migrate module.
2) Drupal 7 contains a custom "developer" role (aside from standard Admin) role.
2) Drupal 7 developer role has permissions to use backup and migrate.
3) Do not install Backup Migrate on Drupal 9.
4) Run migrations, export config with drush.

Expected behavior:

See no mention of backup-related permissions in the exported user.role.developer.yml file.

What happened instead?

Yaml file contains lines related to Drupal 7 backup & migrate permissions.

- 'access backup and migrate'
- 'access backup files'
- 'perform backup'

Proposed resolution

Create a new 'migrate permission' to allow the migration of permissions that do not yet exist. A new UserRole destination plugin will identify the permissions that do not exist, save in config, so they can be added as 'temporary' permissions in a permission callback.

When running the upgrade from /upgrade, the temporary permissions are listed in a warning message.

Log a message for each user role that has permissions removed.

Remaining tasks

• Update the change record: add sample code for a module to add dependencies the the user-role migrations.
• Now using the approach in #67 and #71.
• Update now that #2571235: [regression] Roles should depend on objects that are building the granted permissions has been committed.
• Review permission callbacks in core. Add migration dependencies to d6_user_role and d7_user_role as needed.
• Add test coverage for migration dependencies.
• Review the draft change record.
• Add a release-notes snippet.

User interface changes

None.

API changes

None.

Data model changes

Release notes snippet

The entity:user_role destination plugin has a new option, validate_permissions. When this option is set, only migrate permissions that exist on both the source and destination site.