forbid to delete locked server

Frequently We will tag some servers as **very very important**, we need a
mechanism to protect them and forbid to delete or any other actions. In
addition, we should provide a way to avoid accidental deletion by wrong
operation. However, currently we don't have any way to achieve it.

The `disable_terminate` can forbid to delete server via public API, but it
just for ec2 compatible API, and we don't have API to set this field.
It may be removed from DB in the future.

A lock may be a good start. A non-admin user can't do any action on a locked
server just as we expect. But it is a great pity that the admin user can just
ignore the lock. In other words, the lock makes no sense for admin user.

We should strengthen the lock function so that it can also work for admin
user. The following is the reasons:

* 1. The admin user always own global privileges by default, he can delete any server in any
  project, that's dangerous.

* 2. We may tag some servers as immutable, we don't want to see any actions on these
  servers by any users.

* 3. The admin always like to use scripts for bulk operation which may lead
  to accidental deletion.