Support simple domain based filtering for role/group principals.

[havetisyan]

Currently Athenz allows any valid principal to be added a role and/or group and relies on the administrator to make the right decision who to add to the role.

However, it is desirable to have a simple domain name based filter for role/group members. For example, I have a self-serve role and I want only users to be added to the role. So it'll be great to have a filter to say only principals from domain "user" are allowed in this domain. Similar use case would I want to allow all principals except home domains - these should never be used as members in a given role.

Added a new meta field for roles and groups called principalDomainFilter.

The value of the filter is a comma separated list of domain names - e.g. sports,+weather,-weather.north

If the domain name has no prefix - all principals from this domain will be allowed - e.g. sports.api is valid, sports.nhl.api is not
If the domain has + then domain + all subdomains are allowed - e.g. weather.api is valid, weather.losangeles.api is valid
if the domain has - then principals from this domain + all subdomains are not allowed - e.g. weather.north.api is not valid

Some use cases:

I want the role/group only contain human users: principalDomainFilter: user
I don't want any home domain principals in the role/group: principalDomainFilter: -home