fix: add authorizationGroups property to K8s SAR authorization, fixes #506

[dhirajsb]

@guicassolato I was thinking back to an authorization requirement we had in managed openshift connectors, where we were authorizing against an org field in JWT, and a groups claim. I'm wondering whether we should support the following scenarios as well:

• Groups selector could resolve to a single scalar string
• Multiple groups selectors are needed to aggregate a list of groups

[guicassolato]

@guicassolato I was thinking back to an authorization requirement we had in managed openshift connectors, where we were authorizing against an org field in JWT, and a groups claim. I'm wondering whether we should support the following scenarios as well:

* Groups selector could resolve to a single scalar string

* Multiple groups selectors are needed to aggregate a list of groups

@dhirajsb, I think it should be straightforward and match the SAR API, i.e., authorizationGroups always resolves to an array of strings.

For cases like the one you described, one can always use CEL. E.g., the following resolves to a list containing a single string equal to the org name used as group.

authorizationGroups:
  expression: [auth.identity.org_name]

Because it's CEL, we can do fancy stuff. E.g.: [auth.identity.org_name] + auth.identity.groups.

[dhirajsb]

Because it's CEL, we can do fancy stuff. E.g.: [auth.identity.org_name] + auth.identity.groups.

I was thinking about CEL after I wrote that comment, but wasn't sure how capable it was. Good to know we can cover fairly complex use cases with it. :+1:

[dhirajsb]

Thanks for testing a built version @guicassolato . I'm also working on testing this locally with a modified model registry. I'll let you know if I run into any issues.