Deploy wrapper RegoRules for the UserInfoFetcher

[fhennig]

As a user of the UIF I would like to simply use RegoRules to use the UIF, instead of having to do the HTTP calls myself.

• How do we deploy these rules?

The rules and how to use them need to be documented and a decision needs to be created.

[fhennig]

My suggestion on how to do this:

Have a ready-to-go (or slightly templated) .rego file that the operator has, and if the userInfo bit is configured, the .rego file gets added to all the bundles. Maybe we can do this, by having the operator deploy a ConfigMap that the bundle=true annotation and the rules inside of the ConfigMap?

[maltesander]

In the trino tests we have the UIF call here https://github.com/stackabletech/trino-operator/blob/0a1545ff371190b8d237f994bba4266fc962f774/tests/templates/kuttl/opa-authorization/trino_policies.rego#L291 and wrap it into extra_groups in the the permissions here https://github.com/stackabletech/trino-operator/blob/0a1545ff371190b8d237f994bba4266fc962f774/tests/templates/kuttl/opa-authorization/trino_rules/actual_permissions.rego#L43.

We could extract that into its own rego (util) file and be imported by other policies?

[NickLarsenNZ]

I would suggest it being a specific rego file, rather than a generic util file, because:

• util as a name of a modules is not a very helpful description to the end user (it can be useful when any other suitable name doesn't exist, or there are then too many things).
• It would likely be a breaking change if we do end up with more utilities and want to break them out.

Some suggestions on what the end-user rego imports could look like:

import utils.uif
import utils.authorization
import stackable.uif
import stackable.authorization

---

Edit: #580 goes with package stackable.opa.userinfo.v1 which resolves this comment nicely.