store role assignments in the database

[davepacheco]

This depends on #512. This change moves role assignments to the database. This should remove almost all the hardcoding from the policy (aside from the policy itself). (The remaining bit of hardcoded behavior is that the special "db-init" user is hardcoded to have the "init" role on the database. This is necessary because this user uses this role to load the rest of the built-in users and roles.)

Everything here is still "built-in users" with "built-in roles". I'm reluctant to generalize further without knowing what IdP-based users or custom roles will look like. I think we may want these to be in separate tables, which is why these tables all have "builtin" in the name. That said, I'm leaning towards replacing "built-in users" with service accounts, which we already know we need -- that way there are fewer distinct kinds of actor.

There are a few side effects of this change:

• This change involved some substantial surgery on the authz subsystem. I also split up oso_types into a bunch of separate files and added some more detailed docs on how authz works.
• The authorize() functions are now async. I think this is unavoidable. (It's also not a big deal.) In order to authorize you, we have to look up roles in the database. We prefetch the roles, but we can't do that until we know what resource you're authorized on, which we don't know until authorize().
• Any automated tests that use the datastore now require not just that the datastore be created, but also that the built-in users, roles, and role assignments have been loaded into it. Normally, this happens when Nexus starts up. So integration tests are all set. However, the datastore tests themselves now need to not just create a datastore but load all the built-in stuff. This might make them a bit slower, but they were already starting a whole CockroachDB instance and this is just another few transactions.
• Similarly, the authz tests themselves now depend on a datastore, since doing authz now requires the database. These were previously very quick tests that just loaded the Oso policy and made checks against it -- now they have to set up a whole database and load the built-in stuff. Still, that should be pretty quick.

Status: I want to take a serious edit pass on the documentation in the authz crate, but otherwise I think this is ready for a look.

[bnaecker]

Same thing here. Any equality check would of course still pass, but that won't be true if we change the Fleet type to include state. It might also be good documentation to identify this as FLEET. Again, assuming that's actually what we want, I'm still getting my bearings in this code.

[davepacheco]

Fixed in 00ac778.

[bnaecker]

Nice diagram. Did you use a tool to generate this?

[davepacheco]

Thanks! Nope! Maybe should have.

[david-crespo]

Why is this called AnyActor instead of Actor?

[davepacheco]

Just to better distinguish it from AuthenticatedActor.

(That predates this change -- this code just moved.)

[david-crespo]

Doesn't need to be addressed in this PR, but since we have the whole chain of (ID, resource type) in memory here, we should be able to pull them out into a list and have role_asgn_builtin_list_for query for them all at once in a single query.

[davepacheco]

Yeah, it might be a nice improvement if this function, rather than making the query and updating RoleSet, actually just stored the relevant (resource_type, id) tuples into a BTreeSet, and then we used that at the end to build a sort of monstrous query in role_asgn_builtin_list_for.

[david-crespo]

exciting and scary