[Feature] Implement role-based access control with ADMIN and READ_ONLY

[xxubai]

Why are the changes needed?

Currently all authenticated Dashboard users have full admin privileges. This PR adds role-based access control (RBAC) to the Amoro Dashboard with two roles: ADMIN and READ_ONLY, allowing organizations to restrict write operations to authorized administrators.

Key motivations:

1. Security — Prevent unauthorized users from modifying catalogs, managing optimizers, or executing SQL.
2. LDAP integration — Map LDAP group membership (e.g., Active Directory groups) to Amoro roles without maintaining a separate user database.
3. Backward compatibility — Disabled by default; existing deployments are unaffected.

Close #4117

Brief change log

Backend — amoro-ams

• New Role enum (authorization/Role.java) — Defines ADMIN and READ_ONLY.
• New RoleResolver (authorization/RoleResolver.java) — Resolves user roles at login with priority: local users → admin-users whitelist → built-in admin → LDAP group → default-role.
• New LdapGroupRoleResolver (authorization/LdapGroupRoleResolver.java) — Queries LDAP group membership via JNDI using a service account bind. Supports full DN lookup with Context.REFERRAL = "follow" for AD compatibility.
• Modified LoginController — Returns role in SessionInfo. Separates auth errors from role-resolution errors: auth failures show "invalid user or password", config errors show "server configuration error, contact administrator".
• Modified DashboardServer — Enforces role-based API access; READ_ONLY users receive HTTP 403 on write endpoints.
• Modified LdapPasswdAuthenticationProvider — Added normalizeUsername() to strip email domain suffix (xuba@cisco.com → xuba); added LDAP referral following.
• Modified AmoroManagementConf — Added 10 new config options under http-server.authorization.*.

Frontend — amoro-web

• New permission.ts (utils/permission.ts) — Utility function isReadOnly() that checks the user store.
• Modified store/index.ts — Added role to user state.
• Modified Sidebar.vue, Topbar.vue — Hide admin-only navigation for READ_ONLY users.
• Modified catalog/resource/terminal/table views — Disable create/delete/execute buttons for READ_ONLY users.
• Modified request.ts — Store role from login response.
• Modified login/index.vue — Pass role from login API response.

Admin role UI

Read-only role UI

How was this patch tested?

• Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • RoleResolverTest — Tests role resolution priority: local users, admin-users whitelist, built-in admin, LDAP fallback, default role, authorization-disabled backward compatibility.
  • LdapGroupRoleResolverTest — Tests member matching (DN-style, CN-style, uid-style, plain username, case-insensitive), LDAP error propagation, config validation.
  • HttpAuthenticationFactoryTest — Tests authentication provider factory.

• Add screenshots for manual tests if appropriate

• Run test locally before making a pull request

Documentation

• Does this pull request introduce a new feature? yes
• If yes, how is the feature documented? docs (ams-config.md updated with config reference and RBAC examples; config.yaml template includes commented-out examples)