Allow users to share instances (and all tasks) by auth groups #11
Description
We should allow user to share instances / tasks with other users from specified group(s?).
On warehouse, I've updated so that project members/admins are now synchronized with auth groups. In the future, we can update warehouse to always create process under a specific project (with auth group id). Amaretti can then allow other users to query instances / tasks and access them as long as the user belongs to group specified by the group_id associated with the instance.
Now, a user could create instance / task using datasets from projects other than the one that instance belongs to. Allowing other users to access such instance could expose data that user shouldn't be able to. We shouldn't restrict user from using datasets from other project - as it is very common. We also want to make all processes belongs to a specific parent project (user can create a private project with him/her-self if they want to not share with anyone).
Then, for the issue of datasets access leaking... we could do one of following.
- we say it's ok for this to happen.
- we do additional checking and prevent a user from accessing a task output if it uses datasets that user doesn't have access to (requires a very complex access control logic... error prone) This approach means user will be presented with broken instance that they can't really do anything. Also, some app simply copies some input file. Doing this check probably doesn't prevent user from accessing private data.