This change updates the default policies implemented in Heat, to follow
the updated guideline[1] to implement SRBAC.
The main change is that system users are no longer allowed to perform
any operations about project-level resources like stacks, while project
admin(*1) is still allowed to perform operations about project-level
resources BEYOND project (like getting stacks for all projects by list
stacks API).
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
This also adds the test cases to validate reader role which was almost
implemented in heat.
(*1)
If Keystone has an admin project defined, Heat checks an additional
requirement that request context is scoped by that admin project.
Change-Id: I943b3c1ce021cc05445b73fbc342b8386cf5bf6a
185f28a3b4