fix: deprecate requirement of session token for service accounts (#9320)

This PR fixes couple of behaviors with service accounts

- not need to have session token for service accounts
- service accounts can be generated by any user for themselves
  implicitly, with a valid signature.
- policy input for AddNewServiceAccount API is not fully typed
  allowing for validation before it is sent to the server.
- also bring in additional context for admin API errors if any
  when replying back to client.
- deprecate GetServiceAccount API as we do not need to reply
  back session tokens

pkg/auth/credentials.go

@@ -102,7 +102,7 @@ func (cred Credentials) String() string {
 		s.WriteString("\n")
 		s.WriteString(cred.SessionToken)
 	}
-	if !cred.Expiration.IsZero() && cred.Expiration != timeSentinel {
+	if !cred.Expiration.IsZero() && !cred.Expiration.Equal(timeSentinel) {
 		s.WriteString("\n")
 		s.WriteString(cred.Expiration.String())
 	}
@@ -111,7 +111,7 @@ func (cred Credentials) String() string {
 
 // IsExpired - returns whether Credential is expired or not.
 func (cred Credentials) IsExpired() bool {
-	if cred.Expiration.IsZero() || cred.Expiration == timeSentinel {
+	if cred.Expiration.IsZero() || cred.Expiration.Equal(timeSentinel) {
 		return false
 	}
 
@@ -120,12 +120,12 @@ func (cred Credentials) IsExpired() bool {
 
 // IsTemp - returns whether credential is temporary or not.
 func (cred Credentials) IsTemp() bool {
-	return cred.SessionToken != "" && cred.ParentUser == ""
+	return cred.SessionToken != "" && cred.ParentUser == "" && !cred.Expiration.IsZero() && !cred.Expiration.Equal(timeSentinel)
 }
 
 // IsServiceAccount - returns whether credential is a service account or not
 func (cred Credentials) IsServiceAccount() bool {
-	return cred.ParentUser != ""
+	return cred.ParentUser != "" && (cred.Expiration.IsZero() || cred.Expiration.Equal(timeSentinel))
 }
 
 // IsValid - returns whether credential is valid or not.