jeffdeville/keystone_policy.json

## keystone_policy.json
{
    "cloud_admin": "role:domain_admin and domain_id:default",
    "service_or_admin": "role:admin or role:service_role",

    "matching_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s or domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s or domain_id:%(target.group.domain_id)s or domain_id:%(group.domain_id)s or domain_id:%(target.token.user.domain.id)s",
    "matching_project_id": "project_id:%(scope.project.id)s or project_id:%(project_id)s)"
    "matching_user_id": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "owner" : "rule: matching_user_id"
    "project_admin": "role:admin and rule:matching_project_id",
    "project_member": "role:member and rule:matching_project_id",
    "domain_admin": "role:domain_admin and rule:matching_domain_id",
    "domain_member": "role:domain_member and rule:matching_domain_id",
    "default": "role:domain_admin",
}
	{
	"cloud_admin": "role:domain_admin and domain_id:default",
	"service_or_admin": "role:admin or role:service_role",

	"matching_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s or domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s or domain_id:%(target.group.domain_id)s or domain_id:%(group.domain_id)s or domain_id:%(target.token.user.domain.id)s",
	"matching_project_id": "project_id:%(scope.project.id)s or project_id:%(project_id)s)"
	"matching_user_id": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
	"owner" : "rule: matching_user_id"
	"project_admin": "role:admin and rule:matching_project_id",
	"project_member": "role:member and rule:matching_project_id",
	"domain_admin": "role:domain_admin and rule:matching_domain_id",
	"domain_member": "role:domain_member and rule:matching_domain_id",
	"default": "role:domain_admin",
	}