Effective policy rendered by the charm is different from what is expected if policy-in-code was to be used

Policy rendered by the charm in /etc/keystone/policy.json is different from the policy implemented in code.

NOTE: I'm testing 'enforce_scope=true' configuration. I stopped juju machine agent on keystone unit and manually updated keystone.conf, adding the config option 'enforce_scope=true'.

The following example calls do not work as expected (i.e. return "Forbidden" error) because the policy rendered by the charm do not allow certain actions.

1. As a domain member or reader, show a specific project in the domain.
2. As a domain member or reader, show a specific user in the domain.

Related policies rendered by the charm in /etc/keystone/policy.json:

"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s"
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id"
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id"

Expected policies, as implemented in code:

"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"
"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

Expected policies indeed allow for the actions from the example calls above. But charm-rendered polices do not.

When I configured the expected policies as overrides (in /etc/keystone/policy.d/), the example calls were successful.

Related bug: https://bugs.launchpad.net/charm-keystone/+bug/1847490