Apply namespace locking rules in Almanac


Apply namespace locking rules in Almanac

Ref T10246. Ref T6741.

When you have a namespace like "phacility.net", require users creating services and devices within it to have edit permission on the namespace.

This primarily allows us to lock down future device names in the cluster, so instances can't break themselves once they get access to Almanac.

Test Plan:

  • Configured a phacility.net namespace, locked myself out of it.
  • Could not create new stuff.phacility.net services/devices.
  • Could still edit existing devices I had permission for.
  • Configured a free.phacility.net namespace with more liberal policies.
  • Could create me.free.phacility.net.
  • Still could not create other.phacility.net.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T6741, T10246

Differential Revision: https://secure.phabricator.com/D15325