PXP-4102 Feat/arb admin

[vpsx]

Switches Sheepdog authz handling of program/project CRUD to centralized auth/Arborist.

See https://github.com/uc-cdis/commons-users/pull/810 for new Sheepdog admin policy.

(For QAs' benefit) How to test:

• See PR linked above for example of how to toggle for a given user the old admin: true/false and the new admin policy
• Verify that the API behaves according to this matrix:

    User DOES have Sheepdog admin policy: All CRUD authorized.
        Admin is FALSE:
            Create program: Authorized
            Delete program: Authorized
            Create project: Authorized
            Delete project: Authorized
        Admin is TRUE:
            Create program: Authorized
            Delete program: Authorized
            Create project: Authorized
            Delete project: Authorized
    User does NOT have Sheepdog admin policy: All CRUD not authorized.
    (Also check that they are 403s in particular)
        Admin is FALSE:
            Create program: Unauthorized
            Delete program: Unauthorized
            Create project: Unauthorized
            Delete project: Unauthorized
        Admin is TRUE:
            Create program: Unauthorized
            Delete program: Unauthorized
            Create project: Unauthorized
            Delete project: Unauthorized

New Features

Switch checks guarding program/project CRUD to centralized auth (instead of checking for "admin" in JWT, check for Sheepdog admin policy in Arborist)

Breaking Changes

Having admin: true in user.yaml no longer allows a user to do program/project CRUD in Sheepdog. Users now need to have the Sheepdog admin policy in Arborist.

Deployment changes

The environment's user.yaml needs to be updated to add the new Sheepdog admin policy/resources/roles; for each user that has admin: true, grant them the new policy. See https://github.com/uc-cdis/commons-users/pull/810 for an example.

[PlanXCyborg]

The style in this PR agrees with black. ✔️

This formatting comment was generated automatically by a script in uc-cdis/wool.

[paulineribeyre]

looks good!! i think you can clean up the various conftest files by

• removing the admin fixture
• removing is_admin from the tokens
• using submitter in the tests that still user admin, with that warning you added to other tests about not checking authz

[paulineribeyre]

this (updating URLs) should be supported in indexd, not sheepdog... and this code only supports S3 URLs, and it assumes there is only 1 stored URL 🤦‍♀ we should probably get rid of this and add an endpoint in indexd instead

cc @Avantol13 re:conversation about indexd not supporting URL updates

[vpsx]

Should we wait until indexd has the endpoint or shall I go ahead and remove this~

[Avantol13]

we can wait to be safe, though I don't think it's actually used anywhere? but if we change the public API we need a new major version of sheepdog

[vpsx]

Thanku!! I completely forgot 🤦‍♂ . So that's all done except I didn't add the warning to the other tests--they didn't really claim to be checking authz anyway (whereas the first few either used to check authz, or were next to tests that checked the unauthorized case, so there was the implication). And it would have been a lot of noise :/

[paulineribeyre]

🎉