api: roles: forbid creatin new roles starting with "PVE" namespace

api: roles: forbid creatin new roles starting with "PVE" namespace

makes our reasoning when adding new top-level privileges way easier
in the future.
We already had two major upgrades with role additions where we had to
add special checks in the upgrade script and breaking changes, so
let's reserve any role starting with PVE (case-insensitive to avoid
confusion potential) and forbid creating those via API.

We might also think about letting the config parser choke on that, as
otherwise one could still create them via editing the config
manually.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>