Add pam::access_lines as a fallback mechanism

[jeffmccune]

Without this patch there isn't a good way to configure access rules at different hierarchy levels, e.g. on a per-application development team basis. Consider the situation where numerous different development teams need access to the servers running their application. Each team should not be allowed access except to their own app servers. There is an infrastructure team who needs access to all servers.

This patch allows the infrastructure team to be listed in the pam::access_lines hiera key in common.yaml. App developer groups are listed in pam::allow_users as normal and do not affect the rules applied to all servers from common.yaml.

Hiera array merging is not ideal for this solution due to complexity and the nature of allow_users potentially being a String, Array or Hash.

[ghoneycutt]

Spoke with @jeffmccune and decided to punt on this functionality at this time.