Traefik can pass the subject and issuer in a 'cert-infos'
header, so I am adding an authentication backend to use that.

Non-priority production containers will use the master for
writes and a read-replica database for reads. This commit adds
functionality for getting the replica's information from
environment variables and sets up a database routing scheme.

The settings for gracedb-playground are no longer on a separate
branch and are just included in master. They can be selected
simply by settings the DJANGO_SETTINGS_MODULE environment variable
appropriately.  This should be much easier to maintain than a
completely separate branch.

All throttles now use a database-backed cache since that is the
only way to do centralized throttling (important for production
deployment with multiple workers). We also add default throttles
for anonymous users for the entire API.

Various javascript functionalities and forms in the web interface
make calls to the API to get or process data. The current
Apache configuration (verify a certificate IF presented on /api/*)
causes pop-ups for users who have certificates in their browsers
if they visit any pages which have these functionalities. So we have
changed all of those URLs to use /apiweb/ for now to prevent the
certificate challenge.  This will be resolved in the future by
getting away from certificate-based authentication.

VOEvent IVORNs now use ivo://gwnet/LVC instead of
ivo://gwnet/gcn_sender. Also use the default superevent ID everywhere
in a VOEvent, including filename, even if it has a GW ID.

Containerized versions of the service will now get their LVAlert
credentials from the environment.  Also add a script for
processing environment variables and starting LVAlert overseer.

New API backend which gets a full X509 certificate, verifies it,
and extracts the subject.  To be used in the cloud deployment
with Traefik.

Settings have been reorganized and how different parameters are
determined has been reworked to be compatible with both a Puppet-based
VM deployment and a containerized deployment

We had removed the ability for GraceDbModelBackend to do
authentication, but it is relied on for basic auth by the
BasicAuthentication class in django-rest-framework.  So we undo
that change and remove the GraceDbModelBackend class altogether
in favor of its parent, ModelPermissionsForObjectBackend.

Add django-user-sessions package for more easily managing sessions
and correlating them with user accounts.

We now have a single API endpoint, /api/, which can handle all
authentication methods directed to it.  The /apibasic/ and
/apiweb/ URLs will probably be maintained for legacy reasons,
but will not include any additional logic (they will just be
carbon-copies of /api/ under a different namespace).

We use a few redirects to handle login and extraction of the
shibboleth attributes in a post-login page.

Can be used to restrict access to a view to only the groups
whose names are passed as arguments to the decorator.