[IA-5060] Inherit manager roles to notebook-cluster and persistent-disk

[rtitle]

Ticket: https://broadworkbench.atlassian.net/browse/IA-5060

What:

Phase 1 of the Simplify Leo Access Control epic.

This PR:

• Allows notebook-cluster and perstistent-disk resource types to inherit from google-project or workspace.
• Makes notebook-cluster/connect and persistent-disk/attach actions auth domain constrainable.

Why:

We are trying to clean up/simplify Leonardo access control logic. Part of this is standardizing on consistent Sam resource types and using inheritance to propagate permissions. This PR sets up the Sam model; subsequent Leonardo changes will be made to migrate to it.

---

PR checklist

• I've followed the instructions if I've made any changes to the API, especially if they're breaking changes
• I've filled out the Security Risk Assessment (requires Broad Internal network access) and attached the result to the JIRA ticket

[rtitle]

read is just used for listing disks; attach is needed to actually view the contents of a disk

[LizBaldo]

I am a bit confused about how granular the authDomainConstrainable is here. I thought that every resources / actions would inherit that configuration from the workspace after Doug's PR

[rtitle]

My understanding was you still have to annotate which actions on the child are authDomainConstrainable (like connect). @dvoet can you confirm?

[dvoet]

@rtitle is correct. The auth domain is inherited but which actions have the auth domain applied is controlled by the authDomainConstrainable setting.

[rtitle]

VERY draft Leo PR to start creating Sam resources with parents (phase 2): DataBiosphere/leonardo#4781

I'll try to test these together next week.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[rtitle]

@LizBaldo requested review on this PR. I tested on a BEE and verified that all the resources (runtime, disk, app) continue to work normally.

[ungwudik]

@rtitle or anyone here - Is the failure in orch-swat-test-job (dev, qa) a known issue or flakiness?

[rtitle]

@ungwudik I noticed that, the Orch test failed with:

[info] - should link an eRA Commons account with access to none of the supported closed-access datasets *** FAILED *** (4 seconds, 225 milliseconds)
[info]   org.broadinstitute.dsde.workbench.service.RestException: {"causes":[],"message":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /dev/public-key.pem</pre>\n</body>\n</html>\n","source":"shibboleth","stackTrace":[],"statusCode":404}

Looks like the Orch swat test failed to get a dev shibboleth endpoint. This PR didn't touch anything related to orch/shibboleth. I'm not sure if this is a known dev infra issue? (cc @tlangs)