refactor: authz provider implementation and authz users basic implementation

[NicholasBlaskey]

Description

Refactor the user api both echo and grpc to use the new authz pattern.

Test Plan

existing e2e tests + new integration tests

Commentary (optional)

Checklist

• User-facing API changes need the "User-facing API Change" label.
• Release notes should be added as a separate file under docs/release-notes/.
  See Release Note for details.
• Licenses should be included for new code which was copied and/or modified from any external code.
• If modifying /webui/react/src/shared/ verify make -C webui/react test-shared passes.

[netlify]

✅ Deploy Preview for determined-ui canceled.

Name	Link
🔨 Latest commit	4373c8d
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/62eaef3fad73650008960767

[eecsliu]

Looks good! Couple of questions below

[eecsliu]

no check for if the user can patch other users?

[NicholasBlaskey]

PatchUser in grpc I think only allows for setting a users display name currently

The check for setting other use display names is in CanSetUsersDisplayName I think?

[eecsliu]

It seems like knownAuthZTypes can be remade if this is called more than once? Should be locked down with a once like in the provider

[NicholasBlaskey]

There is a nil check for knownAuthZTypes above -- which I missed for like a couple minutes wondering how it even worked lol

[eecsliu]

oh lmao I'm just blind

[eecsliu]

Is this dependent on Ilia's authz work? Would you want to merge this into rbac-user-groups branch on top of his changes before merging all of the user groups stuff into master together?

[NicholasBlaskey]

Is this dependent on Ilia's authz work? Would you want to merge this into rbac-user-groups branch on top of his changes before merging all of the user groups stuff into master together?

Ilia's authz work is already in this PR and I think I would rather to keep commit history cleaner keeping this change separate?

Also I think I changed my mind about CanGetUser not returning an error. I am thinking it would be pretty bad UX for a user to like try to do an operation on another user and get not found when they should get a database failure error. I'm going to make CanGetUser return (canViewUser bool, serverError error) to try and make it clear that an error shouldn't be returned for denying viewing a user.