This is a simple extention of `SCM.assert_allowed`
- `assert_allowed_by_policy` will set the default "use_common" to False which is different to the old behavior
- `channel`, `user_id`, `scratch` are passed in the `policy_data` with scminfo right now.
This is a prototype for this change, and there are some other solutions could be implemented too
- Use a scmpolicy plugin as `postSCMCheckout` callback, the pro is that we can do more checks after the source is initialized on builder, meanwhile, the con is that the source will be downloaded even it is denied by policy. It might be a potential risk?
- Do the scm check in hub's `make_task`, this looks straightforward, but may lack some builder's information
fixes: #2757
The client CA is only needed to for authentication on the server side,
not for authentication on the client side. Therefore remove it from all
client login code.
