IAM: Open Policy Agent integration

[nmanovic]

Resolve #3950
Resolve #2093
Resolve #2708
Resolve #2937
Resolve #3482
Resolve #3318
Resolve #3247
Resolve #3245
Resolve #3151
Resolve #2681
Resolve #1578
Resolve #1030
Resolve #317
Resolve #1835
Resolve #3969

Motivation and context

1. Integrated Open Policy Agent to manage permissions. OPA is run as a separate micro service and handle input requests. Basically it responds with Allow/Deny.
2. Added Organization, Membership, Invitation concepts to manage permissions for different objects (e.g. tasks, jobs, projects, etc).
3. Removed auth application together with rule-based permissions
4. Added cvat.apps.iam application which have the logic to work with OPA
5. Migrated on the next version of Django and Rest framework

How has this been tested?

Added tests for policies and adjust REST API tests

Checklist

• I submit my changes into the develop branch
• I have added description of my changes into CHANGELOG file
• I have added tests to cover my changes
• I have linked related issues (read github docs)

License

• I submit my code changes under the same MIT License that covers the project.
  Feel free to contact the maintainers if that's a concern.
• I have updated the license header for each file (see an example below)

# Copyright (C) 2021 Intel Corporation
#
# SPDX-License-Identifier: MIT

[nmanovic]

@nmanovic One more question: In my case it's possible to upload annotation from the Task view, but impossible from Job view for own or assigned tasks and non-admin users.

Just forgot to add 'import:annotations' scope into jobs.rego. Now it should work. Please don't forget after each update of rego rules to restart cvat_opa.

[dvkruchinin]

Hi @nmanovic,
Found a problem when running a test for Email verification system.

Could not fetch organizations list
Error: Request failed with status code 401. {"detail":"Authentication credentials were not provided."}.
e @ cvat-app.tsx:284

It is reproduced when building a CVAT with support for this system. How it's done in nightly.

How to reproduce:

1. Build CVAT with support Email verification system.
2. Try to register an user.

[bsekachev]

Hi @nmanovic, Found a problem when running a test for Email verification system.

Could not fetch organizations list
Error: Request failed with status code 401. {"detail":"Authentication credentials were not provided."}.
e @ cvat-app.tsx:284

It is reproduced when building a CVAT with support for this system. How it's done in nightly.

How to reproduce:

1. Build CVAT with support Email verification system.
2. Try to register an user.

I'll take a look into the issue, thanks

[bsekachev]

@dvkruchinin

Should be fixed now

[dvkruchinin]

Should be fixed now

@bsekachev
Yes, now it`s working. But need to fix the appropriate test. I did it in PR #4065

[nmanovic]

@dvkruchinin , could you please look https://github.com/openvinotoolkit/cvat/runs/4611278644?check_suite_focus=true?

[nmanovic]

@dvkruchinin , another test was failed https://github.com/openvinotoolkit/cvat/runs/4611629268?check_suite_focus=true. Is it a problem with tests itself or a bug? Could you please investigate?

[leeyh20]

Hi, how do we migrate to the version of CVAT that makes use of this IAM?

[nmanovic]

I have made an alpha release with IAM: https://github.com/openvinotoolkit/cvat/releases/tag/v2.0.0-alpha. Basically a new version of CVAT with the feature will be released in Q1'22. You can try it right now. Just download the develop branch and run usual steps to build and deploy CVAT. I will not recommend to run the version in production for now. My team will test the patch on an internal server this year, on cvat.org next year, implement more tests to cover the new functionality at the beginning of next year.