Fix API policy rules for new personas

During migration to the new personas in the API policies, we made few
mistakes and allowed creation of some resources just for PROJECT_MEMBER
role. It should also be possible for the SYSTEM_ADMIN persona and that
patch fixes it by adding SYSTEM_ADMIN persona to the default rules where
it was missing.

Related-blueprint: bp/secure-rbac-roles
Change-Id: I9f8a9f0ae24683458aa3b5f8e49c6f111ccf815a
(cherry picked from commit cabf19a984)

neutron/conf/policies/rbac.py

@@ -34,7 +34,7 @@ rules = [
 
     policy.DocumentedRuleDefault(
         name='create_rbac_policy',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['system', 'project'],
         description='Create an RBAC policy',
         operations=[

neutron/conf/policies/router.py

@@ -39,7 +39,7 @@ ACTION_GET = [
 rules = [
     policy.DocumentedRuleDefault(
         name='create_router',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Create a router',
         operations=ACTION_POST,

neutron/conf/policies/subnetpool.py

@@ -33,7 +33,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='create_subnetpool',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project', 'system'],
         description='Create a subnetpool',
         operations=[

neutron/conf/policies/trunk.py

@@ -26,7 +26,7 @@ DEPRECATED_REASON = (
 rules = [
     policy.DocumentedRuleDefault(
         name='create_trunk',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project', 'system'],
         description='Create a trunk',
         operations=[