Log access to classification label and project

What does this MR do?

This adds an extra logfile tracking all accesses to a classification label and project when external policy control is enabled.

This is what the log looks like:

I, [2018-03-27T15:07:51.116186 #42646]  INFO -- : GRANTED adrien@terry.name access to 'default-label' (test-for-forks/eyooo) - cache 2018-03-27 12:31:01 +0200
I, [2018-03-27T15:07:51.745906 #42645]  INFO -- : DENIED adrien@terry.name access to 'overridden-label' (h5bp/html5-boilerplate)
I, [2018-03-27T15:07:52.052447 #42645]  INFO -- : DENIED adrien@terry.name access to 'another-label' (reported_user_22/test-creation)

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated
• API support added
• Tests added for this feature/bug
• Review
  • Has been reviewed by UX
  • Has been reviewed by Frontend
  • Has been reviewed by Backend
  • Has been reviewed by Database
• Conform by the merge request performance guides
• Conform by the style guides
• Squashed related commits together
• Internationalization required/considered
• If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan
• End-to-end tests pass (package-qa manual pipeline job)

What are the relevant issue numbers?

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/4785