Comment 9 for bug 1306743

This is indeed a bit tougher to unwind than I had thought. Any incremental fixes to improve the general performance of the queries is a good idea. However, I think we need to do this immediately as well:

* Let resources add resource_data to a resource that indicates IDs that can be allowed access.
* Add a way for resource plugins to register a resource data key based access handler at load time. For example we could have them register 'user_ids' and 'ec2_access_keys'. Things that create users would add user_ids to the resources on which they need access. Things that create EC2 access keys would do likewise.
* Change classes that register resource access handlers to instead add resource data that indicates things like user Ids or EC2 access keys to give access to metadata.
* Add a configuration option to disable checking for generic resource access handlers once all use of that is out of core Heat. Default to false.
* Update describe_stack_resource to load the resource and any known handled access keys from resource_data first, and look for a positive match in resource_data. If there is no match, and we are still allowing generic resource handlers, load the stack and check with generic resource handlers.
* Deprecate letting resources register generic resource handlers.