Backport of allow periodic jobs to use workload identity ACL policies into release/1.4.x

[hc-github-team-nomad-core]

Backport

This PR is auto-generated from #17018 to be assessed for backporting due to the inclusion of the label backport/1.4.x.

The below text is copied from the body of the original PR.

---

prevent all calls to the Task API from a periodically-dispatched job failing with 403.

This happens because no policy for the job id (one with a periodic-\d+ suffix) matches the generated token claims (that specifically use the parent job id).

steps to reproduce

Create a policy with

nomad acl policy apply -namespace default -job example example-job <(cat <<EOF
namespace "default" {
  policy = "write"
}
EOF
)

Create a job

# example.nomad
job "example" {
  datacenters = ["casa"]
  type = "batch"
  priority = 10

  periodic {
    cron             = "*/15 * * * * *"
    prohibit_overlap = true
  }

  group "example" {
    task "example" {
      driver = "docker"

      config {
        image = "curlimages/curl:7.87.0"
        args = [
          "--unix-socket", "${NOMAD_SECRETS_DIR}/api.sock",
          "-H", "Authorization: Bearer ${NOMAD_TOKEN}",
          "--fail-with-body",
          "--verbose",
          "localhost/v1/client/metadata",
        ]
      }


      identity {
        env = true
        file = false
      }
    }
  }

}

Run and dispatch

nomad run example.nomad 
echo "{}" | nomad job dispatch example -

It'll fail with a 403, and upon inspecting the claims we find

echo "the second part of the JWT, possibly padded with equal signs" | base64 -d | jq

{
  "nomad_namespace": "default",
  "nomad_job_id": "example",
  "nomad_allocation_id": "dcc6477e-1b20-afbd-b46a-d3810d198b53",
  "nomad_task": "example",
  "nbf": 1682647044,
  "iat": 1682647044
}

but current code searches for policies for job id example/periodic-\d+