Forbidden errors thrown by many identity v2 endpoints

After recent changes to DevStack, it appears as though many v2 identity endpoints are throwing 404s. It looks like Tempest gates aren't catching these errors because identity v2 admin tests are being skipped and the non-admin tests aren't exhaustive enough.

Steps to reproduce:
1) Use latest DevStack master code, then ./stack
2) source devstack/openrc admin admin
3) Run a command like "openstack --os-identity-api-version 2 --debug user list" or "openstack --os-identity-api-version 2 --debug role list"

Expected result:
A list of users or roles should be printed to CLI.

Actual result:
Forbidden exception.

Stacktrace example:
Making authentication request to http://127.0.0.1/identity/v2.0/tokens
Resetting dropped connection: 127.0.0.1
http://127.0.0.1:80 "POST /identity/v2.0/tokens HTTP/1.1" 200 3773
run(Namespace(columns=[], formatter='table', long=False, max_width=0, noindent=False, print_empty=False, project=None, quote_mode='nonnumeric'))
Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'>
Making authentication request to http://127.0.0.1/identity/v2.0/tokens
Resetting dropped connection: 127.0.0.1
http://127.0.0.1:80 "POST /identity/v2.0/tokens HTTP/1.1" 200 3773
REQ: curl -g -i -X GET http://127.0.0.1/identity/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}b59b170617f9dbba04118250981d8bfb3574ee71"
Resetting dropped connection: 127.0.0.1
http://127.0.0.1:80 "GET /identity/v2.0/users HTTP/1.1" 404 133
RESP: [404] Date: Wed, 03 May 2017 01:39:32 GMT Server: Apache/2.4.18 (Ubuntu) Vary: X-Auth-Token Content-Type: application/json Content-Length: 133 x-openstack-request-id: req-66d4ad1e-a497-46f8-87f2-3c74f51f9a74 Connection: close
RESP BODY: {"error": {"message": "(http://127.0.0.1/identity/v2.0/users): The resource could not be found.", "code": 404, "title": "Not Found"}}

Note that using --os-identity-api-version 3 works.