Use Moira-fed sources for authorization

[adehnert]

Letting people use blanche and similar tools for managing authorization is shiny. The DB should possibly use a Moira-fed source (Moira itself, AFS groups, or LDAP) for checking for authorization.

[adehnert]

This is probably not going to happen for group signatories.

For things like ASA EBM, this should absolutely happen.

[adehnert]

Relevant lists for CAC access:

• student workers: cacstudentworkers
• staff: cacstaff

(See ​https://diswww.mit.edu/menelaus/asa-db/443.)

[adehnert]

Current intent is that the lists on asa-db-sync-lists will be used for syncing. (Mostly not directly lists from individual offices, because asa-db-mit-{deskworker,offices} will probably need multiple sublists, and sao-internal is hidden, so it'll need a wrapper of to make it visible.

[adehnert]

Commit ac1d8975674184bf1084bf8386697e2781c0d665 and its immediate predecessors make this work for Django group membership. Unfortunately, they don't handle the "staff" flag at the moment. (Also, they cause adehnert-admin to get punted from asa-ebm. Ah well.)

[adehnert]

Staff status is fixed in:

commit c8cb9baab284bd45e84140c69599261f53887f7b
Author: Alex Dehnert <adehnert@mit.edu>
Date:   Fri Dec 23 00:00:02 2011 -0500

    Sync staff status with the asa-admin list as well

    It's possible we actually want to have some whitelist of "people who should
    always have staff status". Not clearly worthwhile enough for me to implement
    something now, though.

I think that's all we need.