policy.json in mitaka with many units

After adding more units to keystone application results that in first deployed unit we have a good /etc/keystone/policy.json with domain_id:

...
"cloud_admin": "rule:admin_required and domain_id:ce2f6888465941c4b6d7c5d12a4e5887",
...

In other units, from second to last broken /etc/keystone/policy.json appears instead:
...
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
...

This is our environment:
root@juju:~# juju status keystone
MODEL CONTROLLER CLOUD/REGION VERSION
openstack devmaas-controller devmaas 2.0-rc1

APP VERSION STATUS SCALE CHARM STORE REV OS NOTES
keystone 9.1.0 active 3 keystone jujucharms 259 ubuntu
keystone-hacluster active 3 hacluster jujucharms 21 ubuntu

UNIT WORKLOAD AGENT MACHINE PUBLIC-ADDRESS PORTS MESSAGE
keystone/6 active idle 0/lxd/4 172.30.13.138 5000/tcp Unit is ready
  keystone-hacluster/8 active idle 172.30.13.138 Unit is ready and clustered
keystone/7 active idle 1/lxd/4 172.30.13.139 5000/tcp Unit is ready
  keystone-hacluster/6 active idle 172.30.13.139 Unit is ready and clustered
keystone/8 active idle 2/lxd/4 172.30.13.137 5000/tcp Unit is ready
  keystone-hacluster/7 active idle 172.30.13.137 Unit is ready and clustered

MACHINE STATE DNS INS-ID SERIES AZ
0 started 172.30.13.145 4y3har xenial default
0/lxd/4 started 172.30.13.138 juju-018ad7-0-lxd-4 xenial
1 started 172.30.13.144 4y3ha8 xenial default
1/lxd/4 started 172.30.13.139 juju-018ad7-1-lxd-4 xenial
2 started 172.30.13.141 4y3ha7 xenial default
2/lxd/4 started 172.30.13.137 juju-018ad7-2-lxd-4 xenial

RELATION PROVIDES CONSUMES TYPE
cluster keystone keystone peer
ha keystone keystone-hacluster subordinate
shared-db keystone percona-cluster regular
hanode keystone-hacluster keystone-hacluster peer