* endpoints and webui to:
  * create/update/delete policy documents that grant permissions on resources in the system
  * assign policies to API keys or users
* policies are stored in keto, which can be queried quickly when a request is made for something that requires a particular permission
* corresponding changes in common and egcli facilitate generating openapi servers that perform permission checks before calling request handlers
  * the generated server in this repo has been updated
* this change adds a database requirement to this service, currently just for tracking some policy metadata that can't be stored in or queried from Keto
* keto requires a file describing all possible object types and what permissions these can be
  * ./cmd/keto-sidecar can generate that currently, although the specifics of deployment have not been fully worked out
* all object types and permissions are currently hard-coded. This will need to be dynamic, waiting on creation of an extension management service before that can happen