sql: validate constraints when secondary tenants set zone configs

[arulajmani]

Is your feature request related to a problem? Please describe.

Currently, we only validate constraints when the host tenant sets zone configurations. This constraint validation includes locality constraints as well as other constraints (such as disk type). This validation requires access to node descriptors, queried using the node status server, which secondary tenants don't have access to.

Secondary tenants do, however, have access to a region server (which gives them access to localities). We should use this to validate localities specified in the constraints fields instead.

We should disallow any other forms of constraint setting via zone configs (such as disk type). Secondary tenants aren't allowed to view this information and therefore should not be using it in their constraints.