This came up in the context of @Addshore wanting to Discovery-depool all of WDQS@eqiad, since those servers were all badly lagged and one was depooled anyway.
The existing wdqs-admins privileges list already allows the pool/depool commands, but those don't allow you to manipulate DNS Discovery.
I think a reasonable implementation would be a discovery-depool / discovery-pool script that took the dnsdisc service name as its first argument (so that it is easy to express in sudoers rules a limit on which services can be modified by a given team), and a datacenter name as its second argument.