Add read-only security_policy to block admin HTTP endpoints.

[enisoc]

Previously, the only built-in policies available were effectively
"allow all" and "deny all". Anything else required writing a custom
plugin.

This adds a new built-in policy called read-only that does NOT do any
authentication, but allows anyone to query HTTP endpoints designated as
requiring the DEBUGGING or MONITORING roles, while denying everyone
access to ADMIN endpoints.

The default when no policy is specified remains "allow all".
The fallback policy remains "deny all" when an unknown, non-empty
policy name is requested. In addition, you can now explicitly request
the deny-all policy without having to engage fallback by providing an
invalid policy name.

Note that security_policy only applies to HTTP endpoints. It does NOT
affect gRPC calls, nor SQL queries. Also, the security_policy flag
must be set individually on every process (e.g. vttablet, vtgate, vtctld)
and only applies to endpoints served directly by that one process.

Signed-off-by: Anthony Yeh enisoc@planetscale.com

[sougou]

can you undo the go.* changes? @deepthi suggests go mod tidy. I just use git checkout go.mod.

[enisoc]

This is already the result after go mod tidy.

[enisoc]

I reverted back to the go.{mod,sum} in master, and then checked in only the result after make build, without running go mod tidy. It seems our checked-in state on master is untidy, so using tidy results in changes. We'll keep going back and forth unless we can get all committers to agree on either always running tidy, or never.