Multitenant aggregator API

[tgeoghegan]

Neither Janus nor its aggregator API have any notion of users or accounts; such things exist only at the divviup-api/control plane layer. However the self-service task provisioning scheme in #1486 suggests that Divvi Up subscribers can easily opt into a mostly automated scheme for task provisioning if they expose a portion of the aggregator API to Divvi Up.

This works fine if the helper deployed by a subscriber is only ever used with Divvi Up, but should an organization want to expose a single Janus instance to multiple peer aggregators (i.e., make it multitenant), then this is inadequate, because one tenant would be able to see and even delete tasks created by another.

Divvi Up fixes this by not exposing the aggregator API to the internet and instead we wrote our own control plane layer (divviup-api). Subscribers could also do that if they want to go multitenant. But we could also explore enriching Janus' conception of task ownership and the scope of the aggregator API tokens so that Janus could be multitenant out of the box.

[branlwyd]

I think we should plan to keep the concept of different users at the Divvi Up level.

We have one place in our deployed environments where this might have been handy -- however, even there, we are discussing exposing the relevant portion of the Aggregator API via a Divvi Up-aware "proxy". I think we should lean towards that if we want to expose the Aggregator API in general.