Without this change, policy enforcement for the GET
/OS-TRUST/trusts/{trust_id}/roles API is hardcoded in the flask
dispatcher code. This is a problem because this enforcement can't be
controlled by the operator, as is the norm. Moreover, it makes the
transition to system-scope and default-roles-aware policies more
difficult because there's no sensible migration from "" to a logical
role-based check string.
This converts the hardcoded enforcement to enforcement via default
policies for GET /OS-TRUST/trusts/{trust_id}/roles. The API specifically
blocks the is_admin user from using it, and since policies aren't loaded
for the is_admin user we need to continue explicitly blocking it.
This change does not use the formal oslo.policy deprecation system
because "" OR'd with the new default is entirely useless as a policy.
Change-Id: Ib339852c9d619b8cbf7a00d45da461377991ba6f
Partial-bug: #1818850
Partial-bug: #1818846