DIG-1652: Remove use of OPA_SERVICE_TOKEN and OPA_ROOT_TOKEN

[daisieh]

Instead of using special tokens, we split up the use cases in these three ways:

1. For the opa-runner container, to make sure that it is the only one that can access/store its own vault token, we create a secret for its own use on initialization, and make sure that the token passed in with calls to v1/data/store_token is the same as that internal secret.
2. For site admins, we can check that the token belongs to a user listed as having the site_role admin. Those users can access any of Opa's paths.
3. For the authx library (and other microservices), authenticated users can access information about their own user's authorizations. These include the authorized datasets, whether or not they're a site admin, and what their user ID is. These should be available as long as the bearer token matches the body token and is verified with one of Opa's known IdPs.

All previous tests that required passing in OPA_ROOT_TOKEN or OPA_SERVICE_TOKEN for the X-Opa header should now work correctly without that header, since they were one of the above use cases. Run make clean-opa; make docker-volumes; make build-opa; make compose-opa and then run integration tests. They should pass as before.

[kcranston]

Can you update the description of service tokens in the readme to reflect these changes?

[daisieh]

Done