two use cases related to authz:
1. we want our flyte users to be able to use boto3 for accessing s3, but we need to globally patch boto3 to first fetch a signed s3 request from our internal s3-authorization service, before making the request to AWS s3. this signing needs to take place immediately before making the request to s3.
2. our users submit spark apps to our hadoop clusters. before doing that, we want to globally “exchange” the kube JWT for an internal cert, which is validated by our hadoop interface.
in both cases, we cannot expect our users to import some python package in their workflow/task code. it’s also not secure.