Effective project handling in the events API

[markylaing]

Consider the following:

# Via unix or as administrator
$ lxc project create foo # `features.networks` & `features.networks.zones` disabled on creation be default.
$ lxc config trust add <cert> --restricted --projects foo

# Restricted cert
$ lxc monitor --all-projects --type lifecycle
$ lxc network create foo-network --project foo

The restricted certificate will not see the lifecycle event relating to the creation of their network, because the network was created in the default project.

We should discuss whether it is possible to address this. Some initial ideas would be:

1. Duplicate events in the default project and emit one for each project where that feature is disabled.
2. Add some "source project" property to events.
3. Don't handle it for existing TLS users, expect that an administrator will add can_view_events for the default project where a group is confined to a project with any features disabled.
4. Don't handle it for existing TLS users, add logic to include a source entity in the event, fine-grained users can view the event if they have can_view on the entity.

Note that 4. would be generally useful. We currently require that the can_exec entitlement on an instance be paired with can_view_events on the parent project because the client uses the events websocket instead of operations (to avoid creation of multiple connections). We've discussed how to fix this before in #12885, as using operations can be problematic (connections dropping when performing a long pool).

See #13886 (comment)_