Change access restrictions for OSWL collector service user

An example for policy: http://paste.openstack.org/show/197018/ (thanks to Tatyanka)

Fix proposed to branch: master
Review: https://review.openstack.org/171561

Seems that it is a little problematic to fix this bug in current release due to the fact that:

1. We need to create read-only oswl role in keystone and add workload user to it.
2. Need to change all according policies for all services that oswl use
3. I start digging from keystone. For keystone we need:
4. Move from v2 API to v3 due to the fact that keystone v2 API doesn't use policy file for RBAC and use admin user only [1]. It seems to be true everywhere (for RH, for example: [2])
5. If we move to API v3 then we cannot use cli part of python-keystoneclient (see [3]). It is bad for user expirience. I suppose, that it is done due to:
6. All cli parts from python-*client utilities slowly move to OpenStackClient (OSC) [4]. But OSC doesn't support part of functionality from old clients (for example, see neutron part from [5]). We cannot use python-neutronclient and OSC simultaneously, cause python-neutronclient doesn't support auth by keystone v3 API. I found some articles that said than if we will expose keystone api in format http://ip:port/ instead of http://ip:port/v2.0 or http://ip:port/v3 then newer clients will choose keystone API version that they support. Alas, our current clients cannot do this (and try to test every newest client for every service to create one read-only user will get too much time).

So, I move this bug to next release due to this huge amount of work that should be done to fix it now properly.

[1] https://bugs.launchpad.net/keystone/+bug/1350879
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1125333
[3] https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/shell.py#L402-L412
[4] http://docs.openstack.org/developer/python-openstackclient/
[5] https://wiki.openstack.org/wiki/OpenStackClient/Commands

Change abandoned by Bartłomiej Piotrowski (<email address hidden>) on branch: master
Review: https://review.openstack.org/171561

Moved to 8.0, confirmed with developers and QA

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

This is a feature request. Removing from the Mitaka release because we don't backport patches of this kind.