Cyborg/Policy

Reference:
 * When considering which role is appropriate for each API operation, one can follow the recommended migration strategy agreed by Keystone Team: https://etherpad.openstack.org/p/policy-migration-steps

Questions (tied to RBAC Name): http://eavesdrop.openstack.org/meetings/openstack_cyborg/2020/openstack_cyborg.2020-02-06-03.01.log.html#l-143 http://eavesdrop.openstack.org/meetings/openstack_cyborg/2020/openstack_cyborg.2020-02-06-03.01.log.html#l-143
 * cyborg:arq:create
 * (Yumeng) current rule: any role is allowed to do post action. This is too permissive, instead, it should be at least "role:member" with scope_type ["project"]
 * cyborg:device:get_all
 * cyborg:device:update
 * (Yumeng) Is it necessary to allow a system-scope user to read and update one device? For example, when one device is shared by different projects, we should allow a role at a system-scope level to access this device, right?
 * (Yumeng) yes, we agreed on the weekly meeting that a device is a system-level resource, so sys_admin is required for device: update.
 * cyborg:deployable:update
 * (Yumeng) ditto for deployable update
 * (Yumeng) we agreed that deployable: update requires project_admin.