acl: allow auth methods created in the primary datacenter to optionally create global tokens

[rboyer]

Currently auth methods (and binding rules) are dc-local items that are not replicated between datacenters. They are also restricted to only being able to create dc-local ACL tokens.

This restriction was initially set in place to avoid an availability issue in any application that headlessly would make use of an auth method to dynamically create a token before application start (such as a kubernetes pod pre start hook). If these needed to make a synchronous RPC back to the primary datacenter (that may not even be up) then that would incur both an additional startup delay and the probability of bringing everything to a screeching halt in the event the primary datacenter is briefly disconnected.

While this argument still holds for any auth method used headlessly (type=kubernetes and type=jwt) it is harder to make the same justification for user-driven flows like type=oidc.
In this PR I'm granting auth methods defined in the primary datacenter the option of being configured to exclusively create global ACL tokens.

• Folks setting up OIDC in their primary datacenter would benefit from enabling this option to allow for the UI to forward requests to other datacenters without needing to SSO...multiple times.
• Anyone running headless workloads in their primary datacenter could benefit from having this option available for type=kubernetes and type=jwt as well.

[rboyer]

Note that this is not meant to be a fix for #7381.

[dnephin]

What do you think about calling it token-scope instead of token-type ? Type could be a lot of things, but scope may imply something more specific.

[mkeeler]

Is this only a restriction because the secondary servers would require a token to use in the RPC to the primary?

[rboyer]

That and having to sleep-loop until replication brought your newly-created token back to the secondary.

[mkeeler]

LGTM