We are receiving 401s due to Notifications not properly authenticating to Sources.

• The initial implementation simply forwarded the received x-rh-identity header to Sources. This worked for the backend, but not the engine, since the engine doesn't have a client that sends such header.
• The second implementation generated a minimal x-rh-identity header with an org-id inside of it, but it also didn't work because RBAC expects an username to identify the user. This also had the drawback of the user needing the Sources administrator role.

This story suggests implementing the authentication via a PSK, and sending the organization ID via another header that Sources supports. This way we would cover both authentication and tenant identification.