Adding missing neutron policies to policy.json

Currently, Neutron's policy.json does not exhaustively
list all the policy actions within Neutron.

This has some downsides:
  1) It makes it harder to override these policy actions
  2) It is inconsistent
  3) The policy.json should be a "golden copy" of all the
     policy actions enforced by the system.
  4) It makes it harder to RBAC test Neutron
     (because it is very difficult to determine which
      policy actions are valid and which are not).

The current policy actions that are enforced by the system
but not contained in the policy.json are as follows:
  - create_security_group
  - delete_security_group
  - delete_security_group_rule
  - get_security_group_rules
  - get_security_groups
  - get_security_group_rule
  - get_security_group
  - update_security_group
  - update_router
  - update_router:external_gateway_info
  - update_router:external_gateway_info:network_id

Closes-Bug: #1676674
Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219

etc/policy.json

@@ -102,6 +102,9 @@
     "create_router:ha": "rule:admin_only",
     "get_router": "rule:admin_or_owner",
     "get_router:distributed": "rule:admin_only",
+    "update_router": "rule:admin_or_owner",
+    "update_router:external_gateway_info": "rule:admin_or_owner",
+    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
     "update_router:external_gateway_info:enable_snat": "rule:admin_only",
     "update_router:distributed": "rule:admin_only",
     "update_router:ha": "rule:admin_only",
@@ -210,5 +213,15 @@
     "delete_trunk": "rule:admin_or_owner",
     "get_subports": "",
     "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
+    "remove_subports": "rule:admin_or_owner",
+
+    "get_security_groups": "rule:admin_or_owner",
+    "get_security_group": "rule:admin_or_owner",
+    "create_security_group": "rule:admin_or_owner",
+    "update_security_group": "rule:admin_or_owner",
+    "delete_security_group": "rule:admin_or_owner",
+    "get_security_group_rules": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_or_owner",
+    "create_security_group_rule": "rule:admin_or_owner",
+    "delete_security_group_rule": "rule:admin_or_owner"
 }

neutron/tests/etc/policy.json

@@ -102,6 +102,9 @@
     "create_router:ha": "rule:admin_only",
     "get_router": "rule:admin_or_owner",
     "get_router:distributed": "rule:admin_only",
+    "update_router": "rule:admin_or_owner",
+    "update_router:external_gateway_info": "rule:admin_or_owner",
+    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
     "update_router:external_gateway_info:enable_snat": "rule:admin_only",
     "update_router:distributed": "rule:admin_only",
     "update_router:ha": "rule:admin_only",
@@ -210,5 +213,15 @@
     "delete_trunk": "rule:admin_or_owner",
     "get_subports": "",
     "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
+    "remove_subports": "rule:admin_or_owner",
+
+    "get_security_groups": "rule:admin_or_owner",
+    "get_security_group": "rule:admin_or_owner",
+    "create_security_group": "rule:admin_or_owner",
+    "update_security_group": "rule:admin_or_owner",
+    "delete_security_group": "rule:admin_or_owner",
+    "get_security_group_rules": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_or_owner",
+    "create_security_group_rule": "rule:admin_or_owner",
+    "delete_security_group_rule": "rule:admin_or_owner"
 }