Add new policy rules NET_OWNER and PARENT_OWNER

In old policies we have rules ADMIN_OR_NET_OWNER and
ADMIN_OR_PARENT_OWNER but now as we are moving to new secure RBAC
roles we need to extract "admin-ness" from those rules as
ADMIN is already checked in the default roles, like SYSTEM_ADMIN or
PROJECT_ADMIN.
This patch proposes such new rules and uses them in the subnet policies
which were already migrated to the new secure-rbac policies.

Change-Id: Id61d24ca2d7b1293e9f1bc84f52944321880dbbd

neutron/conf/policies/base.py

@@ -78,6 +78,9 @@ SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
 SYSTEM_OR_PROJECT_READER = (
     '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')')
 
+# Additional rules needed in Neutron
+RULE_NET_OWNER = 'rule:network_owner'
+RULE_PARENT_OWNER = 'rule:ext_parent_owner'
 
 rules = [
     policy.RuleDefault(

neutron/conf/policies/subnet.py

@@ -41,7 +41,7 @@ rules = [
         name='create_subnet',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_ADMIN_OR_NET_OWNER),
+            base.RULE_NET_OWNER),
         scope_types=['system', 'project'],
         description='Create a subnet',
         operations=ACTION_POST,
@@ -111,7 +111,7 @@ rules = [
         name='update_subnet',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_ADMIN_OR_NET_OWNER),
+            base.RULE_NET_OWNER),
         scope_types=['system', 'project'],
         description='Update a subnet',
         operations=ACTION_PUT,
@@ -149,7 +149,7 @@ rules = [
         name='delete_subnet',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_ADMIN_OR_NET_OWNER),
+            base.RULE_NET_OWNER),
         scope_types=['system', 'project'],
         description='Delete a subnet',
         operations=ACTION_DELETE,