flesh out authz policy

[davepacheco]

This change:

• fleshes out the authz policy with something I hope will be sufficient for the MVP (though even if not, I think it's a good next step)
• protects GET /organizations with authz
• protects DELETE /organizations/$org/projects/$project/disks/$disk. I did this one because it exercises the project-level authz in the policy.

The next step will be to protect more endpoints using this policy. As it is, the policy file is largely not used, but I thought it was better to do this as a smaller change and then protect more endpoints in follow-on changes.

I'm happy to do a code walk-style review if that's helpful.

Some of this is a little janky right now but I hope we can clean it up as we iterate on more endpoints.

[davepacheco]

For anybody interested: I'll do an interactive review / walk-through on Monday 11/22 at 10am PT. Let me know and I'll add you to the invite. We'll also record it.