feat: add auth metrics emission

[cecemei]

Description

Introduces an opt-in mechanism to emit Druid service metrics for authorization events. When enabled, Druid emits metrics for access denials and authorization exceptions, making it easier to monitor and alert on security-relevant events.

Changes

New config flag (AuthConfig)

• Adds emitAuthMetrics boolean property (default: false)
• Enable via runtime config: druid.auth.emitAuthMetrics=true

AuthorizerMapper

• Accepts an optional ServiceEmitter to pass through to authorization utilities
• Defaults to null (no-op) when metrics are disabled

AuthorizerMapperModule

• Injects ServiceEmitter directly instead of via Injector (cleaner dependency graph)
• Wires the emitter into AuthorizerMapper only when emitAuthMetrics is enabled

AuthorizationUtils

• Adds private emitAuthMetric() helper that fires metrics with dimensions: identity, authorizerName, resourceName, resourceType, action, and errorMessage
• Emits auth/accessDenied on denied resource access
• Emits auth/exception on internal errors (missing authorizer, duplicate policies, double-authorization check)

---

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[FrankChen021]

Severity	Findings
P0	0
P1	0
P2	1
P3	0
Total	1

Reviewed 16 of 16 changed files.

---

This is an automated review by Codex GPT-5.5

[FrankChen021]

[P2] Avoid double-counting datasource denial metrics

When a datasource request is denied, verifyUnrestrictedAccessToDatasource first calls authorizeResourceAction, which now emits auth/accessDenied from authorizeAllResourceActions when the authorizer returns a denial. The new emit here then records the same denial again before throwing ForbiddenException, so endpoints using this helper double-count access-denied metrics whenever druid.auth.emitAuthMetrics=true. Emit here only for the allowed-but-restricted case, or keep access-denied emission in one layer.