Policy Default Refresh-2

We moved the nova API policies to new defaults and scope types in https://blueprints.launchpad.net/nova/+spec/policy-defaults-refresh in the Ussuri cycle. But they were not easily consumable by the operators/users and the migration plan from old to new policies was not even working. A good example of the issue is the boot server on a specific host where host info is available to system users only and server boot can be done by project only. We thought of a lot of ways to solve this, for example: allowing the system users to create a server for any project by passing the project id in the request or in the header, allowing the project to see the host info.

Based on the initial discussions of how system-scope would be used, we decided
to allow operators to interact with project-owned resources using system-scoped
tokens. In summary, we mixed up the system and project scope in the APIs.

To solve these issues and make the new policy more useable in a better way, we discussed the new design a lot during the Yoga PTG - https://etherpad.opendev.org/p/policy-popup-yoga-ptg. We agreed on the new design and making system users not to allow any project-level things.

Complete direction can be seen in - https://review.opendev.org/c/openstack/governance/+/815158

In nova, we will audit all the policies and make sure everything is as per the new direction defined in the community-wide goal.

Nova policy Audit: https://wiki.openstack.org/wiki/Nova/rbac (TODO- once the audit is finished, add the versioned link of wiki page)