Add opt-out support for service instances shared among org/spaces

[gberche-orange]

Currently, the sec-group-broker filter is used in hand with service plan visibility to orgs to grant access to some services only to some specific organizations.

With the upcoming ability to share a service instance across orgs, (see proposal cf-dev@ thread) it will be possible for a user granted access to a service plan in an org to propagate this access control in other orgs.

$ cf share-service SERVICE_INSTANCE TARGET_ORG TARGET_SPACE
$ cf unshare-service SERVICE_INSTANCE TARGET_ORG TARGET_SPACE

While it may be fine for some services that are restricted from usage within an org for billing/recharging purposes, it may be more problematic for service offerings that serve confidential data, or service offerings that should not be mixed with availability of custom domains (e.g. inbound internet usage should not be mixed with raw outbound intranet access)

Suggested fix: add an environment variable BROKER_FILTER_REJECT_SHARED_SERVICE_INSTANCE option that reject a binding request received for a different space than the space where the service instance was received.

Support for receiving org and space id in binding request is prepared in openservicebrokerapi/servicebroker#289

This could be a independent filter that can be configured regardlesss of the security group feature, similar to the #29 supported by #33

[gberche-orange]

Edit: updated spec discussions now mentions that service plan visibility would be enforced by CC while sharing services.

This should lower needs for this feature.