NVMe-oF host authentication

[sdpeters]

We'd like a host to be able to authenticate the gateway (it is what t says it is, and what the host expected to find), and vice/versa (the gateway can confirm the host is what it claims to be).

This is how the gateway can restrict access to namespaces (make it accessible only to specific hosts).

One way to do this for the gateway to create one subsystem per host, and populate it with just the namespaces that host can access. This greatly increases the number of subsystem ports the discovery service (#63) must advertise (increasing the need for #68).

Another way is "namespace masking", where gateways have as few as one subsystem containing all the namespaces all the configured hosts can access; then "masking" them from hosts that aren't configured to access them. Namespace masking is accomplished in the NVMe-oF target by filtering the response to "list namespaces" so hosts only see the namespaces they can access, and validating the host ID for each NVMe IO command is one authorized to access that NVMe namespace (NSID). This is not yet supported in SPDK.

This issue is part of the requirement in https://github.com/ceph/ceph-nvmeof/issues/119