Add external Policy Decision Point for Authorization

[ZohebShaikh]

Checklist

• Add a Changelog entry
• Add the ticket number which this PR closes to the comment section

[DiamondJoseph]

We're aiming to try this out on our test beamline today 🤞
We're deploying OPA with some additional policies we need to add to make this work (the endpoints in the AccessPolicy), and Tiled built from this branch behind the oauth2_proxy service (although it is squatting on another service's DNS)

[danielballan]

How did your local test go?

@nmaytan took a look at this and have some quick comments.

[danielballan]

Is the intent here to make public nodes world-writable? Generally I would expect world-readable, but not world-writable.

[ZohebShaikh]

I will refactor it to make it more clear but the intent is to make public tag world readable

The root node currently is world readable and when a user comes with a tag that allows them to write to this public node can write to it

[danielballan]

This tag configures what unauthenticated requests can do. Generally I would expect those would never be allowed to write (or create, register, delete).

[danielballan]

@nmaytan and I wonder if the TagBasedAccessPolicy could be reused, using the tag_parser argument to inject OPA-specific integration (_get_external_decision). Most of the AccessPolicy interface will be the same across our local solution, OPA, OpenFGA, and others. The TagParser abstraction might be a more tightly-scoped way of injecting framework-specific integration.

Nate will aim to find the bandwidth to implement this suggestion as a PR into your PR. But I mention this now in case you have any immediate thoughts on this.

[ZohebShaikh]

It would be a good thing to use the tag_parser but the only thing that concerns me is There are lots of authZ that happens in Tiled ,example

"Cannot apply empty tag list to node: only Tiled admins can apply an empty tag list."

But when you look at the ExternalPolicy it does not checks and just delegates everything to AuthZ to decide ,which I think makes it cleaner separation of concerns

[DiamondJoseph]

The user_sessions and tiled/scopes queries are added in this PR DiamondLightSource/authz#293 which is in review. Internally we have to answer exactly what the route to the queries are, so it may be worth removing this from the generic functionality PR into a later Diamond implementation PR?

Could also allow us to decide where non-NSLS facility specific code should live?

Joseph has left diamond

[danielballan]

Plan:

1. @ZohebShaikh will remove dls.py which can live in local config (put on the PYTHONPATH).
2. @danielballan will merge and release a beta by end of US workday on Wednesday.
3. 🎄
4. Evaluate whether we can consolidate on one plugin interface (i.e. build_input + _get_external_decision versus tag_parser). This should enable us to share implementations of init_node, modify_node, and filter.
5. Decide, item by item, how much of the authorization logic in the TagParser would be better delegated to an external system: OPA or NSLS-II own's homegrown (temporary) authorization system.
6. Consider whether custom integrations with authorization systems should plug in to Tiled by implementing a custom AccessPolicy class, or whether they should all use the same Tiled AccessPolicy and inject customizations some other way (e.g tag_parser).

[danielballan]

Some merge conflicts were introduced when I merged #1244. Would you mind resolving these, @ZohebShaikh? Then we can merge/release.

[danielballan]

Test failure is flaky/unrelated.