allow ACL policies to be associated with workload identity

[tgross]

The original design for workload identities and ACLs allows for operators to
extend the automatic capabilities of a workload by using a specially-named
policy. This has shown to be potentially unsafe because of naming collisions, so
instead we'll allow operators to explicitly attach a policy to a workload
identity.

This changeset adds workload identity fields to ACL policy objects and threads
that all the way down to the command line. It also a new secondary index to the
ACL policy table on namespace and job so that claim resolution can efficiently
query for related policies.

---

Fixes #13995

cc @schmichael @apollo13 @angrycub I've got this in draft while I do some end-to-end verification but the overall design seems sound enough for a first look if you've got comments.

[tgross]

This is the only bit of this that's changing behavior of already-shipped code outside of Secure Variables and Workload Identity work (which will get its own changelog entry once we're ready to wrap everything up). If we want to be fussy we can pull this out to its own PR but it's a tiny change that won't get backported so seemed safe to keep here.

[tgross]

Some end-to-end testing:

$ WI=<token extracted from a running job=httpd>
$ NOMAD_TOKEN=$WI nomad operator api '/v1/vars'
Permission denied%

$ echo '{"Items": {"name": "Tim"}}' | nomad operator api -X PUT "/v1/var/example"
$ nomad operator api '/v1/var/example?namespace=default'
{"CreateIndex":34,"CreateTime":1660675347090671505,"Items":{"name":"Tim"},"ModifyIndex":34,"ModifyTime":1660675347090671505,"Namespace":"default","Path":"example"}%

# not allowed, as expected
$ NOMAD_TOKEN=$WI nomad operator api '/v1/var/example?namespace=default'
Permission denied%

# attach the operator policy to the job
$ nomad acl policy apply -namespace default -job httpd operator ./operator.hcl
Successfully wrote "operator" ACL policy!

$ NOMAD_TOKEN=$WI nomad operator api '/v1/var/example' | jq .
{
  "CreateIndex": 34,
  "CreateTime": 1660675347090671505,
  "Items": {
    "name": "Tim"
  },
  "ModifyIndex": 34,
  "ModifyTime": 1660675347090671505,
  "Namespace": "default",
  "Path": "example"
}

# add a job-specific secret
$ echo '{"Items": {"name": "Tim"}}' | nomad operator api -X PUT "/v1/var/nomad/jobs/httpd"

# read it as expected
$ NOMAD_TOKEN=$WI nomad operator api '/v1/var/nomad/jobs/httpd' | jq .
{
  "CreateIndex": 40,
  "CreateTime": 1660675566715335400,
  "Items": {
    "name": "Tim"
  },
  "ModifyIndex": 40,
  "ModifyTime": 1660675566715335400,
  "Namespace": "default",
  "Path": "nomad/jobs/httpd"
}

[shoenig]

LGTM! just the usual suggestions

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.