Support for approved workflow clients to run updates

[shreddd]

We are running into an issue with the https://github.com/microbiomedata/nmdc_automation code, when it tries to make updates to NMDC mongo objects via the /queries:run endpoint. Since it is a workflow client it is not permitted to use this endpoint (access token has client: in the prefix for sub instead of user:)

We would like to support workflow clients that have elevated privileges similar to users, where access is regulated by permissions on operations through the _runtime.api.allow collection in mongo.

Suggested improvement: Allow client prefix in https://github.com/microbiomedata/nmdc-runtime/blob/c4c4a8d08f88c7fed71d693c7d45c7cea4854db9/nmdc_runtime/api/models/user.py#L63 to extract username, and delegate access management to /queries:run endpoint verifying user permissions in _runtime.api.allow

[shreddd]

For a possible fix see: https://github.com/microbiomedata/nmdc-runtime/compare/main...workflow-queries-run

[mbthornton-lbl]

Blocking https://github.com/microbiomedata/nmdc_automation/issues/280

[shreddd]

Note the possible fix is not complete - the client_id still needs to be cast as a User object but it is a possible start of an approach.