Rework authorization config

[maltesander]

Description

Spike for #792, https://github.com/stackabletech/decisions/issues/66

This consolidates the operators authorization part closer to the nifi internals:

The authorization part consisted of an OPA and Default part. The Default part was a mix out of the SingleUser authorizer (e.g. for SingleUser or OIDC authentication) as well as file-based for LDAP authentication.
Filebased changes to users or authorizations were not persisted properly (ephermeral) which lead to problems.

This is now consolidated according to the diagram above:

spec:
  clusterConfig:
    authorization: # complex enum, defaults to `singleUser: {}`, so should be non-breaking (I would need to look at the generated CRD to be sure)
      opa: ... # existing
      singleUser: {} # new
      standard: #  new -> this internally adds a PVC to the STS
        accessPolicyProvider:
          fileBased:
            initialAdminUser: CN=admin,OU=admin-group,DC=example,DC=org

This is breaking for LDAP users that now explicitly have to set the standard authorization method and an initial admin user.

The PVC provided size for the filebased authorization is currently fixed to 16MB and cannot be configured other than pod overrides.

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Helm chart can be installed and deployed operator works
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible
• Links to generated (nightly) docs added
• Release note snippet added

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added
• Links to generated (nightly) docs added
• Release note snippet added
• Add type/deprecation label & add to the deprecation schedule
• Add type/experimental label & add to the experimental features tracker

[dervoeti]

Nice, LGTM overall, just some nits.

We should provide migration instructions in the release notes for users that use LDAP.

[maltesander]

Release notes

Reworked the authorization configuration for the operator to closer match and represent the Apache NiFi interfaces and implementations.
The OpaAuthorizer, SingleUserAuthorizer and StandardManagedAuthorizer can now be explicitly set.
This allows to set an initialAdminUser for file-based authorization.

spec:
  clusterConfig:
    authorization:
      opa: { .. } # existing
      # OR
      singleUser: {} # new
      # OR
      standard: # new
        accessPolicyProvider:
          fileBased:
            initialAdminUser: CN=admin,OU=admin-group,DC=example,DC=org

If not provided this defaults to the SingleUserAuthorizer.

Breaking changes - Upgrade guide

Users authenticating via LDAP that do not use the OpaAuthorizer (but relied on the operator generated filebased authorization), now have to explicitly set the StandardManagedAuthorizer and the initialAdminUser.
That means the cluster definition must be extended by an authorization part.

spec:
  clusterConfig:
    authentication:
      - authenticationClass: ldap
    # LDAP requires file based authorization if OPA is not used
    authorization:
      standard:
        accessPolicyProvider:
          fileBased:
            initialAdminUser: CN=admin,OU=admin-group,DC=example,DC=org   

Docs

https://docs.stackable.tech/home/nightly/nifi/usage_guide/security/#authorization