Expose authentication/acl API's for plugins
Authentication
Plugins such as Radix need to provide authentication for external connections. It makes sense to use picodata access control facilities for that, but currently they're not exposed.
For now workaround is to validate credentials by attempting to connect with them to locally running picodata and use tarantool::session::su to switch to needed user identity
For proper solution we need to expose authenticate function from tarantool. It is already exported from our fork and used in pgproto: https://git.picodata.io/core/picodata/-/blob/bf8fdace5ff91fd29e3e4d9068097c2bdc3281f1/src/pgproto/client/auth.rs#L13 so we need to expose it in plugin sdk
Access control
Additionally plugins such as radix may want to implement access control policies. Again, reusing picodata access control subsystem. For now there are two functions in tarantool module that do most of the job: box_access_check_space и box_access_check_ddl. But they're error prone and do not cover everything (picodata has some additional rules on top). Moreover they're considered implementation detail and shouldnt be used directly.
The goal here is to expose wrappers without such limitations to plugin api
Before implementation an ADR is needed.
Linked issue from radix https://git.picodata.io/picodata/plugin/radix/-/issues/73
Context: https://docs.google.com/document/d/1JxCCL5hnG7yl3Owo-631f6oKHf6ig1ITh_ad6_k-0dA/edit?tab=t.0
Originally reported by @aensidhe