[server, dashboard] Introduce multi-org (behind feature flag)

[geropl]

Description

This is a POC of "multi-orgs in Dedicated", which comes with two main changesets:

1. enablement of admin-user
2. minor streamlining on the UI

admin-user

The core idea is that we enable the admin-user to perform all cross-organization operations ("create org", "configure SSO", etc.).

This approach has a couple of benefits:

• we don't have to introduce a new concept
• admin-user already address lot of "2nd day issues", e.g. re-logging into an org even in case of SSO misconfiguration, or manual removal, etc.).
• we could use this opportunity to actually clean some things up_ conceptually (e.g. how we differentiate between dedicated/not-dedicated, plus some permission special cases)

A limitation is that user who is configuring SSO
for a new organization needs to be able to login using that SSO - which is the same flow as we have today. This is fine, because it works for the current actual usecase.

Another issue not addressed here is "how does a user get hold of the admin link". This is solved out-of-band for the current usecase.

UI

There is one main change, which is the introduction of the /?orgSlug= parameter, which is checked across the dashboard and selects one of your organizations. It's especially understood by /login: This solves the use case of "first time user onboards into correct organization".

Related Issue(s)

Fixes CLC-970

How to test

UI

• go to https://gpl-970-multi-org.preview.gitpod-dev.com/workspaces
• log into org "dataops" - note you only see on org
• log into org "customer1"
  • note the single org in the selector
  • note that you are collaborator only
• create an admin link (wait ~30s) and use it to log into as admin-user
  • note how you see two orgs, and can switch between them
• logout again
• open the link https://gpl-970-multi-org.preview.gitpod-dev.com/?orgSlug=customer#https://github.com/geropl/bel and note that you can login with one click

Setup

• create a branch from this PR
• enable the feature flag enable_multi_org for your branch
• run export GITPOD_WITH_DEDICATED_EMU=true; leeway run dev:preview
• in your preview, login using an admin link and configure the 1st and 2nd org (using SSO apps from here)

Documentation

Preview status

gitpod:summary

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[filiptronicek]

Looks great, let's this bad boy.

Left a couple minor comments

[filiptronicek]

If we wanted to, could we? Does spicedb allow these conditional decisions from the schema depending on the installation config?

[geropl]

Because it's static, we could also make it a relation. But there's also a way to attach data to a request, and "dynamic" rules that can decide based on that data.

But anyway, this is more speculative, as I don't see it being worth the effort to pull off right now.

[geropl]

@filiptronicek I fixed the tests + special tests for the "can't create/join org" cases in this separate PR, too ease reviewing: #20436

I don't see the point in separating it from this PR completely, so we'll just wait for that merge. 👍

[geropl]

/unhold