Fix self_owned_node policy check

When enabling scope enforcement, the self_owned_node check could
generate a failure because the check internally can be touched
by both a project scoped and system scoped endpoint.

This change changes the tag in the policy so it doesn't prematurely
return an error to the API consumer.

Change-Id: I49e2f7f29eb98e5bb4e18614cea0aca726703f55

ironic/common/policy.py

@@ -464,7 +464,7 @@ node_policies = [
     policy.DocumentedRuleDefault(
         name='baremetal:node:create:self_owned_node',
         check_str=('(role:admin) or (role:service)'),
-        scope_types=['project'],
+        scope_types=['system', 'project'],
         description='Create node records which will be tracked '
                     'as owned by the associated user project.',
         operations=[{'path': '/nodes', 'method': 'POST'}],
@@ -693,7 +693,7 @@ node_policies = [
     policy.DocumentedRuleDefault(
         name='baremetal:node:delete:self_owned_node',
         check_str=PROJECT_ADMIN,
-        scope_types=['project'],
+        scope_types=['system', 'project'],
         description='Delete node records which are associated with '
                     'the requesting project.',
         operations=[{'path': '/nodes/{node_ident}', 'method': 'DELETE'}],

releasenotes/notes/fix-self-owned-node-policy-fc2dae357879dc33.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes scope classification check with the "self_owned_node" policy
+    check where it was limited to check execution with only project
+    scoped, so system scoped users who ticked the policy endpoint would
+    basically get an incorrect error.