respect scopes in list/watch projects

[deads2k]

Updates the project cache to filter the project list with respect to scopes.

In a follow-on piece of work, this will make it possible to let an SA get list of projects it can access with the token its given or the list of all projects available depending on which scope the user selects.

@openshift/api-review
@sosiouxme you've asked for this, so did stef, and I needed it for my demo.

[deads2k]

@smarterclayton I'd like this and my new scope (coming soon) in 1.3 to make the SA oauth client more valuable.

[deads2k]

[test]

[deads2k]

@liggitt bump.

[liggitt]

break ranging over evaluators or let them all have a shot at it?

[deads2k]

break ranging over evaluators or let them all have a shot at it?

sure.

[liggitt]

relevant test failures, a few nits, LGTM otherwise

[openshift-bot]

Evaluated for origin test up to 012dd2f

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7838/)

[deads2k]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7855/) (Image: devenv-rhel7_4813)

[openshift-bot]

Evaluated for origin merge up to 012dd2f

[deads2k]

@ewolinetz this closed an information leak in list projects that didn't properly limit the list to the scope of the token by default.

We're introducing a second scope to indicate the distinction between "list projects this token can see based on other permissions" and "list all projects this user can see regard of the other permissions on this token". As I recall from openshift/origin-aggregated-logging#139, you need the latter. To close the hole, the new scope is called "user:list-all-projects". See #9977