Add policy support for specific metadata keys

Presently in nova, users with non-admin role can add, update or delete metadata properties to the instance. Users can add metadata while booting the instance or they can also add, update or delete metadata using server metadata RestFul api's. There is no way to restrict users other than admin role to perform such operations. Oslo.policy allows us to define a rule which can restrict users from specifying certain value to a specific property of a resource but it doesn’t have any rule to check whether a
specific property exists in the target.

For example,
"restricted": "role:admin or not True:HA_Enabled"

By applying above restricted rule to the server metadata APIs, it is possible to restrict users with non-admin role from adding, updating or deleting metadata property ‘HA_Enabled=True’. But this rule will not restrict users from setting value other than True to “HA_Enabled” metadata property.

If above policy is configured for creating metadata for server in nova as,
"os_compute_api:servers:create": "rule:restricted" then,

For admin user:
    $nova meta <instance_uuid> set HA_Enabled=True
    Resp: 200

For normal user:
    $nova meta <instance_uuid> set HA_Enabled=True
    Resp: 403

But If normal user tries to set any other value to HA_Enabled then it will
still satisfy the rule:-

For normal user:
    $nova meta <instance_uuid> set HA_Enabled=<random_value>
    Resp: 200

So what we want is to restrict users from adding, updating or deleting specific metadata properties to the instance.