feat: OPA Authorizer

[labrenbe]

Description

Adds support for authorization with OPA using Nifi OPA Plugin .

=== NAME  kuttl
    harness.go:408: run tests finished
    harness.go:516: cleaning up
    harness.go:573: removing temp folder: ""
--- PASS: kuttl (539.62s)
    --- PASS: kuttl/harness (0.00s)
        --- PASS: kuttl/harness/opa_nifi-1.27.0_zookeeper-latest-3.9.3_opa-latest-1.0.1_openshift-false (261.39s)
        --- PASS: kuttl/harness/opa_nifi-2.2.0_zookeeper-latest-3.9.3_opa-latest-1.0.1_openshift-false (268.44s)
        --- PASS: kuttl/harness/opa_nifi-1.28.1_zookeeper-latest-3.9.3_opa-latest-1.0.1_openshift-false (278.21s)
PASS

Should not be merged before: stackabletech/docker-images#1058

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

# Author
- [ ] Changes are OpenShift compatible
- [ ] CRD changes approved
- [ ] CRD documentation for all fields, following the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
- [ ] Helm chart can be installed and deployed operator works
- [ ] Integration tests passed (for non trivial changes)
- [ ] Changes need to be "offline" compatible

# Reviewer
- [ ] Code contains useful comments
- [ ] Code contains useful logging statements
- [ ] (Integration-)Test cases added
- [ ] Documentation added or updated. Follows the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
- [ ] Changelog updated
- [ ] Cargo.toml only contains references to git tags (not specific commits or branches)

# Acceptance
- [ ] Feature Tracker has been updated
- [ ] Proper release label has been added
- [ ] [Roadmap](https://github.com/orgs/stackabletech/projects/25/views/1) has been updated

[maltesander]

first batch of comments

[maltesander]

I dont understand that sentence at all. Would you mind reformulating or explaining it?

[labrenbe]

I think the idea is that there are different default authorization methods depending on the authentication method and OPA authorization which works with every authentication method.

[maltesander]

Suggested change

	configMapName: simple-opa <1>
	package: my-druid-rules <2>
	cache:
	entryTimeToLive: 5s <3>
	maxEntries: 10 <4>
	configMapName: simple-opa # <1>
	package: my-nifi-rules # <2>
	cache:
	entryTimeToLive: 5s # <3>
	maxEntries: 10 # <4>

[maltesander]

the footnotes do not render correcly

[maltesander]

I think ticking or quoting is enough?

Suggested change

	<1> The action taken against the resource. Possible values: `"read"` or `"write"`.
	<1> The action taken against the resource. Possible values: `read` or `write`.

[maltesander]

Suggested change

	For a general explanation of how rules are written, please refer to the {opa-rego-docs}[OPA documentation]. For more information on NiFi's access policies please refer to the {nifi-docs-access-policies}[NiFi documentation].
	For a general explanation of how rules are written, please refer to the {opa-rego-docs}[OPA documentation]. For more information on NiFi's access policies please refer to the {nifi-docs-access-policies}[NiFi documentation].

[maltesander]

Suggested change

	Inside of your rego rules you have access to the content of the authorization request from NiFi as input for OPA:
	The payload sent by NiFi with each request to OPA, that is accessible within the rego rules, has the following structure:

[maltesander]

I would go for "rego rule" instead of "RegoRule" as in other cases.

[maltesander]

I think this whole section is probably best displayed as table. Something like:

payload - description - possible values
action.name - The action taken against the resource - read/write

[maltesander]

It fixes "security#_authentication", shouldnt it be "security#_authorization" as well (or the other way round)?

[maltesander]

I think we should already prepare a more extensive test environment.
Meaning having a couple of users in keycloak with different access in the regos that can be tested via API and easily extended?

[maltesander]

Suggested change

	package: my-druid-rules <2>
	package: my-nifi-rules <2>

[maltesander]

Suggested change

	This is optional and defaults to the name of the Druid Stacklet.
	This is optional and defaults to the name of the NiFi Stacklet.

[maltesander]

Can we split this to make it more readable?

fn references_config_map(
    nifi: &DeserializeGuard<v1alpha1::NifiCluster>,
    config_map: &DeserializeGuard<ConfigMap>,
) -> bool {
    let Ok(nifi) = &nifi.0 else {
        return false;
    };

    let references_zookeeper_config_map =
        nifi.spec.cluster_config.zookeeper_config_map_name == config_map.name_any();
    let references_authorization_config_map = references_authorization_config_map(nifi, config_map);

    references_zookeeper_config_map || references_authorization_config_map
}

fn references_authorization_config_map(
    nifi: &v1alpha1::NifiCluster,
    config_map: &DeserializeGuard<ConfigMap>,
) -> bool {
    nifi.spec
        .cluster_config
        .authorization
        .as_ref()
        .and_then(|authz| authz.opa.as_ref())
        .map(|opa_config| opa_config.opa.config_map_name == config_map.name_any())
        .unwrap_or(false)
}

[labrenbe]

Did this in 13e60bc