Description

Introduces an opt-in mechanism to emit Druid service metrics for authorization events. When enabled, Druid emits metrics for access denials and authorization exceptions, making it easier to monitor and alert on security-relevant events.

Changes

New config flag (AuthConfig)

• Adds emitAuthMetrics boolean property (default: false)
• Enable via runtime config: druid.auth.emitAuthMetrics=true

AuthorizerMapper

• Accepts an optional ServiceEmitter to pass through to authorization utilities
• Defaults to null (no-op) when metrics are disabled

AuthorizerMapperModule

• Injects ServiceEmitter directly instead of via Injector (cleaner dependency graph)
• Wires the emitter into AuthorizerMapper only when emitAuthMetrics is enabled

AuthorizationUtils

• Adds private emitAuthMetric() helper that fires metrics with dimensions: identity, authorizerName, resourceName, resourceType, action, and errorMessage
• Emits auth/accessDenied on denied resource access
• Emits auth/exception on internal errors (missing authorizer, duplicate policies, double-authorization check)

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.