Support storage.stage JWT scope claim with TAPE REST API

[alrossi]

The next version of the WLCG JWT and TAPE APIs will require stage protection support based on the stage claim:

WLCG JWT profile: storage.stage: Read the data, potentially causing data to be staged from a nearline resource to an online resource. This is a superset of storage.read.

We will need to add an Activity to Restriction and pass the authorization downstream so that the Transfer setAllowStaging(boolean isAllowed) is set.

[paulmillar]

I was actually thinking a slightly different route.

Somewhat similar to how we have the ExemptFromNamespaceChecks principal for switching off namespace checks, we could add a new principal: the TapeAuthz principal. In situations where the token has explicit authz statements, this principal would be added.

Unlike ExemptFromNamespaceChecks, the TapeAuthz principal would carry tape staging authz information: it could either allow the current user to stage data from tapes, or deny the user.

The tape authz within PoolManager would be updated to see if this principal exists. If so, it defers to the tape stage AuthZ decision to the TapeAuthZ principal.

This way, we avoid having to extend restriction.