Apply namespace locking rules in Almanac
When you have a namespace like "phacility.net", require users creating services and devices within it to have edit permission on the namespace.
This primarily allows us to lock down future device names in the cluster, so instances can't break themselves once they get access to Almanac.
- Configured a phacility.net namespace, locked myself out of it.
- Could not create new stuff.phacility.net services/devices.
- Could still edit existing devices I had permission for.
- Configured a free.phacility.net namespace with more liberal policies.
- Could create me.free.phacility.net.
- Still could not create other.phacility.net.
Reviewed By: chad
Differential Revision: https://secure.phabricator.com/D15325