Use is_admin_project from context

Now that oslo.context has been bumped to >=2.6.0,
we can use `is_admin_project` from the context which
is backward compatible.

This also adds a new rule `project_admin` to make
resource types accessible inline with current policy
of other services like nova, that are yet to use the
`is_admin_project` feature. Once those services start
using the is_admin_project feature, we can remove this.

Change-Id: I5be8176042f8839e86f77984222e7fac66dfaed6
Related-Bug: #1466694

etc/heat/policy.json

@@ -1,5 +1,6 @@
 {
-    "context_is_admin":  "role:admin and auth_token_info.token.is_admin_project:True",
+    "context_is_admin": "role:admin and is_admin_project:True",
+    "project_admin": "role:admin",
     "deny_stack_user": "not role:heat_stack_user",
     "deny_everybody": "!",
 
@@ -83,11 +84,11 @@
 
     "service:index": "rule:context_is_admin",
 
-    "resource_types:OS::Nova::Flavor": "rule:context_is_admin",
-    "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
-    "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
-    "resource_types:OS::Manila::ShareType": "rule:context_is_admin",
-    "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
-    "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
-    "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
+    "resource_types:OS::Nova::Flavor": "rule:project_admin",
+    "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
+    "resource_types:OS::Cinder::VolumeType": "rule:project_admin",
+    "resource_types:OS::Manila::ShareType": "rule:project_admin",
+    "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
+    "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
+    "resource_types:OS::Nova::HostAggregate": "rule:project_admin"
 }