Rethink authz around retrieving IP pools

[david-crespo]

Prior to #3985, there was a single fleet-level default IP pool named "default", and any authenticated user can CreateChild on a given IP pool:

omicron/nexus/db-queries/src/authz/omicron.polar

Lines 387 to 390 in 58e8c67

	# Any authenticated user can create a child of a provided IP Pool.
	# This is necessary to use the pools when provisioning instances.
	has_permission(actor: AuthenticatedActor, "create_child", ip_pool: IpPool)
	if silo in actor.silo and silo.fleet = ip_pool.fleet;

So when we looked up the default pool, we could rely cleanly on something like this to enforce permissions.

LookupPath::new(opctx, &self)
    .ip_pool_name("default")
    .fetch_for(authz::Action::CreateChild)

In #3985, there can be multiple default pools at different scopes (fleet, silo, or project), so figuring the default is more of a listing operation, which means we don't have a single pool up front to do an auth check on. One option is to do the query and then run the auth check on the resulting pool. But we will also want to do things like list available pools at a given scope in order to allow users to choose one at instance create time in the CLI or console. So I think this might call for a rework of the permission model around IP pools.