RBAC community wide goal phase-2[1] is to add service
role for the service APIs policy rule.
This patch adds new "service_api" role in policies, deprecates old rule
"context_is_advsvc" as this had basically same goal but for consistency
reasons we want now to have it named "service_api" as in other policies
for other projects.
This patch also adds unit tests to ensure what is allowed and what is
forbidden for the service role user.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2
Closes-Bug: #2026182
Change-Id: Iaa1a3a491d310c2304f6500c6e5d2b9c31a72fa8