WL#12935: Control what plugins can be passed to --early-plugin-load

Affects: Server-8.0   —   Status: Complete

--early-plugin-load loads plugins before the server is fully initialized.
Not all plugins can initialize like this. Some outright crash the server (GR
plugins, audit, firewall). Others return nonsensical errors. 

Fortunately the plugin API contains a flagset for each plugin of which only 2
bits are currently used.

This worklog is to add a new plugin flag to that flagset called
PLUGIN_OPT_ALLOW_EARLY_LOAD so that plugin authors can enable their plugin for
--early-plugin-load.
For pre-existing plugins this flag will be 0 (off): thus not an incompatible
change. 

Also all keyring plugins that we produce will be marked with this new flag as
they must be loadable with --early-plugin-load.
FR1. Only plugins having PLUGIN_OPT_ALLOW_EARLY_LOAD flag on should be
loadable in --early-plugin-load command line/my.cnf option

FR1.1. Only plugins having PLUGIN_OPT_ALLOW_EARLY_LOAD flag on can be specified
as source or target for keyring migration.

FR2. PLUGIN_OPT_ALLOW_EARLY_LOAD will not have any effect on any of the other
ways a plugin can be loaded, namely INSTALL PLUGIN, --plugin-load and
--plugin-load-add.

FR3. The plugin API minor version will be bumped.

FR4. Old plugin binaries (compiled
with older plugin API versions) will have this value off hence they won't be
loadable with --early-plugin-load

FR5. All keyring plugins we currently distribute will have
PLUGIN_OPT_ALLOW_EARLY_LOAD on

FR6. None of the non-keyring plugins that we distribute will have
PLUGIN_OPT_ALLOW_EARLY_LOAD on.
A new plugin flag will be added: 
#define PLUGIN_OPT_NO_INSTALL 1UL   /* Not dynamically loadable */
#define PLUGIN_OPT_NO_UNINSTALL 2UL /* Not dynamically unloadable */
+#define PLUGIN_OPT_ALLOW_EARLY_LOAD 4UL /* can be loaded early */

The plugin API version's minor will be bumped:
-#define MYSQL_PLUGIN_INTERFACE_VERSION 0x0109
+#define MYSQL_PLUGIN_INTERFACE_VERSION 0x010A

A check will be added in processing early plugin load for both
--early-plugin-load and for keyring migration to make sure the plugin specified
has the flag on and will refuse to load otherwise.

-- List of plugins enabled for --early-plugin-load --

* keyring_aws
* keyring_encrypted_file
* keyring_okv
* keyring_file
* pfs_example_plugin_employee (test suite plugin)