op-mode: T7745: add a CLI for operator user command permissions

[dmbaturin]

Change summary

Introduces a CLI for creating local operator-level users.

This PR adds the following commands:

• set system login operator-group <name> command-policy allow <cmd> — allows creating permission groups that limit operator users to specific sets of commands.
• set system login user <name> operator group <name> — allows assigning operator-level users to groups.

Every operator-level user must be assigned to at least one group. The default config is updated to include a default operator group that allows all commands.

Operator user permissions are saved to a data file at commit time:

vyos@vyos# cat /etc/vyos/operators.json | jq
{
  "users": {
    "bofh": [
      "default"
    ],
    "pfy": [
      "Test"
    ]
  },
  "groups": {
    "default": {
      "command_policy": {
        "allow": [
          [
            "*"
          ]
        ]
      }
    },
    "Test": {
      "command_policy": {
        "allow": [
          [
            "show"
          ],
          [
            "reset",
            "*",
            "ipsec"
          ]
        ]
      }
    }
  }
}

The new operational command runner (/usr/bin/vyos-op-run) then uses that file to check command permissions.

This PR does not allow retrieving user level information from remote authentication sources like RADIUS ­— we'll need to work out the details there.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

Related PR(s)

• vyos-op-run: T7745: add a command permission checking mechanism vyos-utils#41

How to test / Smoketest result

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests (no interfaces) ❌ failed
• CLI Smoketests VPP ❌ failed
• CLI Smoketests (interfaces only) ❌ failed
• Config tests ❌ failed
• Config tests VPP ❌ failed
• RAID1 tests ❌ failed
• TPM tests ❌ failed

[jestabro]

Ready for general testing.