LogicalTimeValidator::isAuthorizedToAdvanceClock calls AuthorizationSession::isAuthorizedForPrivilege twice per request. I believe there is one additional privilege check due to bypassDefaultMaxTimeMS check.

Both of these are checking for a single cluster privilege, this is a relatively simple permission check. We should create a new method that can cheaply check if a user has a single cluster privilege to be used in this case. This new method would not need to create the ResourcePatternSearchList. We should also restrict with privileges it can check (i.e. it should not be able to check for anything that is covered by local auth bypass). For now, it should be restricted to just advanceClusterTime and bypassDefaultMaxTimeMS.

If there is a tenant, it can just fall back to isAuthorizedForPrivilege. After this method is added, we should change these the above call sites to use it.

Also, change ResourcePrivilegeMap to absl::flat_hash_map.