Design miminal auth with RBAC for the cluster

[vidas]

User: system/person calling Nekko inference APIs.

1. User should identify itself by using carrier token (acquired using developer console).

2. User should be able to call inference endpoints when:

• token is valid
• token has corresponding role based permissions to an action
• token has corresponding role/ownership(?) based permissions to a resource (model, file, dataset etc)
• token hasn't expired
• token wasn't revoked

3. User should be able to enumerate accessible resources (eg /v1/models).

4. User should not be able to access anything not listed above and get a corresponding error response.

5. Preferably: token based system should not require to contact authentication or authorization system with each request (use jwt?). Revocation lists can be refreshed periodically thus amortizing latency.

Expected outcome:
Design of a authentication/authorization solution that is ready to be implemented.