[Auth] Integrate Casbin with all objects on the GQL API

The dev branch now has a working implementation of Casbin authorization, with a toy model and policy. Extend these to cover the entire GQL API: all objects available on the API should trigger an auth check, even if that check is null/anonymous access is allowed. 