Add commands for manage users groups and access

[Jabejixo]

Description

New d8 iam command tree for managing local users, groups, and access grants. Five top-level subcommands under internal/iam/:

• d8 iam user — create / delete / reset-password / reset2fa / lock / unlock.
• d8 iam group — create / delete / add-member / remove-member.
• d8 iam access — grant / revoke.
• d8 iam get — user, group, rule.
• d8 iam list — users|user, groups|group, rules|rule.

Read verbs are top-level (d8 iam get user alice, d8 iam list users), not per-domain wrappers.

Subjects are positional. grant / revoke take -n/--namespace (repeatable, AR) or --scope cluster|all-namespaces|labels=K=V[,K2=V2,...] (CAR with namespaceSelector.labelSelector). Capabilities (--allow-scale, --port-forwarding) compose with any scope. d8-managed grants get a deterministic name, so grant / revoke are idempotent.

Password input is unified across user create and user reset-password: interactive (default), --password-stdin, --generate-password, or --password-hash. The CLI handles the format difference between User.spec.password (base64-bcrypt) and UserOperation.spec.resetPassword.newPasswordHash (raw bcrypt).

Shell completion covers command names, resource names, namespaces, access levels, scope values, rule refs, and output formats. Common k8s helpers (PrintObject, NewDynamicClient, AddOutputFlag, CompleteResourceNames, ...) live in internal/utilk8s/. The previously top-level d8 user was moved under d8 iam user.

Why do we need it, and what problem does it solve?

Managing users, groups, and access in Deckhouse today means hand-crafting User, Group, AuthorizationRule, and ClusterAuthorizationRule CRs and applying them via kubectl. There is no first-class CLI for inventory, "who has access to what", or safe revocation.

d8 iam provides:

• a single discoverable command tree with consistent flag semantics;
• effective-access inventory: iam list users|groups (aggregated table) and iam get user|group <name> (direct grants, transitive group membership, inherited grants, effective summary, warnings for cycles / orphaned members / manually maintained rules), with SuperAdmin wildcard capabilities surfaced as implicit;
• iam list rules / iam get rule with reverse lookup of subjects to local User / Group CRs;
• idempotent grant / revoke

Why do we need it in the patch release (if we do)?

Not necessarily.

Changelog entries

section: deckhouse-cli
type: feature
summary: Add `d8 iam` command tree for managing local users, groups, and access grants

[AlwxSin]

There are lack of some test scenarios:

• no grant -> revoke round-trip
• no remove-member tests
• no tests for UserOperation creation
• no tests for group create/delete