Support new nova policy regarding system scope

Since Ussuri, nova can be configured to enforce scopes, requiring special tokens to use deployment-wide admin features.
See intro and "Scope" section of: https://docs.openstack.org/nova/ussuri/configuration/policy-concepts.html#scope

A nova service configured this way will typically have in nova.conf the following:
```
[oslo_policy]
enforce_scope = true
enforce_new_defaults = true
```

When nova is configured this way, masakari needs to generate system-scoped tokens from keystone in order to do operations like listing hosts, enabling / disabling nova services, etc.

See the defaults in nova policy listed here: https://docs.openstack.org/nova/ussuri/configuration/policy.html
You can see for example that `os_compute_api:os-hypervisors:list` have the default rule `system_reader_api`, which translate by default to `role:reader and system_scope:all`.

A definition of system-scoped tokens can be found here: https://docs.openstack.org/keystone/ussuri/admin/tokens-overview.html#system-scoped-tokens

In the keystoneauth1 library used in masakari, when using the password plugin, it is possible to add a `system-scope` parameter to get a system-scoped token; see: https://docs.openstack.org/keystoneauth/ussuri/plugin-options.html#password

Masakari could therefore have an additional configuration to allow passing this parameter to keystoneauth (by the way, the only value that seems relevant for this parameter in defaults is `all`).

To configure masakari properly and get the right token to interact with nova, one will usually have to:
- Make sure `os_privileged_user_tenant` is unset (so you don't get a project-scoped token)
- Set the new configuration `os_system_scope` to `all`