[S-RBAC] Fix new policies for FIP PFs APIs

During transition to the new secure RBAC API policies, we made mistake
with policies for FIP PFs by defining them to be available for
ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
don't have tenant_id attribute at all and belongs to the owner of FIP always.
Second issue was that any FIP owner, even with just READER role could possibly
e.g. create port forwarding.

To fix that, this patch changes those API policies to new rules:
ADMIN_OR_PARENT_OWNER_READER
ADMIN_OR_PARENT_OWNER_MEMBER

Conflicts:
    neutron/conf/policies/floatingip_port_forwarding.py

Closes-Bug: #2018989
Change-Id: Ibff4c4f5b6d020fd598831a8a6e8ec0e2f559005
(cherry picked from commit 4edff4f)
(cherry picked from commit 812526a)

Author: slawqo

neutron/conf/policies/floatingip_port_forwarding.py

@@ -29,9 +29,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='create_floatingip_port_forwarding',
-        check_str=base.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Create a floating IP port forwarding',
         operations=[
@@ -48,9 +46,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_floatingip_port_forwarding',
-        check_str=base.policy_or(
-            base.ADMIN_OR_PROJECT_READER,
-            base.RULE_PARENT_OWNER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a floating IP port forwarding',
         operations=[
@@ -71,9 +67,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='update_floatingip_port_forwarding',
-        check_str=base.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Update a floating IP port forwarding',
         operations=[
@@ -90,9 +84,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_floatingip_port_forwarding',
-        check_str=base.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Delete a floating IP port forwarding',
         operations=[