Group Authz Fail Close/Open

[UnicornChance]

Is your feature request related to a problem? Please describe.

With the creation of group authorization, the default is fail open when a client doesn't have a group defined. It's been suggested that we should look into an environment flag that allows clients to opt into or out of group authz. This would manage the fail open / close behavior.
Further discussion to follow.

[UnicornChance]

@bburky @rjferguson21 @mjnagel Want to open the discussion for this issue. Does anyone have strong feelings for the use case of creating an env flag for clients to opt in and out of group authz?

Currently the behavior is that when a client has an empty groups or anyOf definition or no groups defined at all, the client will not require any group auth membership by users. Essentially meaning this is opt in group authz.

[rjferguson21]

IMO this seems like an interesting feature but it would require a few other steps for this to be workable and/or not frustrating for users.

My assumption would be that auto-generated clients would need either a "global group" to exist in order for them to be added to, or a group specifically created for that client to designate access. I think the latter makes more sense but it would depend on us having a fleshed how story of how users create groups in the first place, or doing it as part of the operator (which would require us to start using the Admin API).

For reference the existing groups that exist in our realm - https://uds.defenseunicorns.com/core/configuration/uds-user-groups/