Write protect repository only when primary is not on the latest version
Relates to #2717 (comment 356256531)
Our current approach is to put a virtual storage (shard) into read-only mode when a node failure is detected. This is a conservative strategy since some repos may be unaffected by a node failure.
A more focused and optimal approach:
- Only repositories should be designated read-only (not entire storages or shards)
- A repo is considered to be read-only iff the repo's primary replica is stale
- Clarification: the repo is not considered to be in read-only mode if any of the secondary replicas is stale. Stale secondary replicas are expected in an eventually consistent system.