Role-based access control (RBAC)

[philrz]

At the time this issue is being filed, Zed is at commit 1ec7052.

A community zync user inquired about adding some RBAC-style permissions for accessing the Zed lake. A sketch of a possible design has been drafted along with proposed changes to the Zed lake HTTP API for administering it. A highlight of proposed permission levels:

• lake-level create: pool creation
• lake-level delete: pool deletion and vacuum
• lake-level pool read: grants pool-level read permission for all pools
• lake-level pool write: grants pool-level write permission for all pools
• pool-level read: read a pool's metadata and values (can extend by splitting into metadata and value read permissions as well as restricting to specific branches)
• pool-level write: create branches, add commits to any branch, delete any branch (can extend by splitting into create, commit, and delete permissions as well as restricting to specific branches)

We're not certain when formal design and implementation work on this will begin. However, I'm opening this issue as a place to collect ongoing community interest.