Authorization

[oscar60310]

What’s the problem you're trying to solve

After #71, we have profiles for data sources, we want to do access control for them. For example, admin users can access pg-admin profile, but non-admin users can only access pg-no-admin profile.

Describe the solution you’d like

We can implement a sample attribute-based access control (ABAC) for our profiles.

1. For each profile, we can set the allow property to indicate what attributes users should have.
   For example, only the user with name admin can access this profile:

   - name: 'pg-admin'
     driver: 'pg'
     connection: xx
     allow:
       - name: admin

2. Attribute filters are also supported. For example, user should have an attribute group and its value should be admin:

   - name: 'pg-admin'
     driver: 'pg'
     connection: xx
     allow:
       - attribute:
             name: group
             value: admin

3. Wildcards are supported.

   - name: 'pg-admin'
     driver: 'pg'
     connection: xx
     allow:
       - name: admin-*

4. Single allow condition are combined with AND logic
   Only the user who has name admin and has group attribute with value admin can access this profile.

   - name: 'pg-admin'
    driver: 'pg'
    connection: xx
    allow:
      - name: admin
        attribute:
            name: group
            value: admin 

   Multiple allow conditions are combined with OR logic.
   admin, someoneelse, and those who have group attribute with value admin can access this profile.

   - name: 'pg-admin'
    driver: 'pg'
    connection: xx
    allow:
      - name: admin
      - name: someoneelse
      - attribute:
            name: group
            value: admin 

5. We can specify multiple profiles on a single schema now, from top to bottom, users use the first qualified profile. If users can't use any of them, 403 error should be thrown.

Additional context