os-server-groups policy rules are wrong

Before policy was moved into code in Newton, the os-server-groups API actions had only two policy rules:

"os_compute_api:os-server-groups": "rule:admin_or_owner",
"os_compute_api:os-server-groups:discoverable": "@",

With this change in Ocata:

https://review.openstack.org/#/c/391113/

The actual actions now have granular policy checks (create/delete/index/show).

The problem is the effective policy check on those went from
"os_compute_api:os-server-groups" which was rule:admin_or_owner to this:

"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

And "rule:os_compute_api:os-server-groups" is not a real rule, and is backward incompatible. I don't really know what oslo.policy does if a rule is used which is not defined.

I know the admin_or_only rule is defined here:

#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

But there is no rule defined for "os_compute_api:os-server-groups".