Draft: 931 feature add role based access control to running workflows

[eenblam]

Here's my first pass at adding auth for inputstep per #931.

I'd appreciate feedback on my present approach, but I'd also like to address the following loose ends before merging:

• Adding tests for how @workflow auth interacts with @inputstep auth and resolving any issues identified in the process.
• Logging step in which an error was encountered if possible (see TODO in current changes)
• Ensure UI is either disabled or user is alerted before hitting Resume Workflow if possible. Current changes only address the backend authorization.

[codspeed-hq]

CodSpeed Performance Report

Merging #939 will not alter performance

_{Comparing 931-feature-add-role-based-access-control-to-running-workflows (dbd45ed) with main (cbdf950)}

Summary

✅ 12 untouched benchmarks

[codecov]

Codecov Report

Attention: Patch coverage is 72.91667% with 13 lines in your changes missing coverage. Please review.

Project coverage is 83.86%. Comparing base (f0677d1) to head (dbd45ed).
Report is 20 commits behind head on main.

Files with missing lines	Patch %	Lines
orchestrator/api/api_v1/endpoints/processes.py	62.06%	8 Missing and 3 partials ⚠️
orchestrator/services/celery.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #939      +/-   ##
==========================================
+ Coverage   83.49%   83.86%   +0.37%     
==========================================
  Files         205      211       +6     
  Lines       10206    10220      +14     
  Branches     1022     1008      -14     
==========================================
+ Hits         8521     8571      +50     
+ Misses       1414     1382      -32     
+ Partials      271      267       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[eenblam]

I can see different arguments for what to name these. For now, I've chosen to not change Alex's naming of authorize_callback in case it's already in use downstream, but I'm open to feedback on how best to name the following callbacks. Each is a function implementing a RBAC policy.

• authorize_callback: called when a user starts a workflow.
• resume_auth_callback: called when a user resumes a workflow paused by an inputstep. "resume_authorize_callback" felt a bit unwieldy, but I'm open to it if we want to maintain authorize_callback AND make them match.
• retry_auth_callback: called when a failed step is retried. Arg to both @workflow and @inputstep.