The policy.v3cloudsample.json file has a generic "admin_required": "role:admin" which is applied to several APIs allowing de facto other services with same generic "admin" role to perform Keystone calls.
Both Neutron and Glance define a simple admin role that can be used to perform Keystone protected calls.
Proposed changes:
1) remove "admin_required" and replace it with "rule:cloud_admin"
2) scope correctly the access to these api:
"identity:create_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:get_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:list_consumers": "rule:cloud_admin or rule:domain_admin",
"identity:delete_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:update_consumer": "rule:cloud_admin or rule:domain_admin",
"identity:authorize_request_token": "rule:cloud_admin or rule:domain_admin",
"identity:list_access_token_roles": "rule:cloud_admin or rule:domain_admin",
"identity:get_access_token_role": "rule:cloud_admin or rule:domain_admin",
"identity:list_access_tokens": "rule:cloud_admin or rule:domain_admin",
"identity:get_access_token": "rule:cloud_admin or rule:domain_admin",
"identity:delete_access_token": "rule:cloud_admin or rule:domain_admin",
"identity:list_projects_for_endpoint": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:add_endpoint_to_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:check_endpoint_in_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:list_endpoints_for_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:remove_endpoint_from_project": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:create_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:list_identity_providers": "rule:cloud_admin or rule:domain_admin",
"identity:get_identity_providers": "rule:cloud_admin or rule:domain_admin",
"identity:update_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:delete_identity_provider": "rule:cloud_admin or rule:domain_admin",
"identity:create_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:update_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:get_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:list_protocols": "rule:cloud_admin or rule:domain_admin",
"identity:delete_protocol": "rule:cloud_admin or rule:domain_admin",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin or rule:domain_admin",
"identity:list_mappings": "rule:cloud_admin or rule:domain_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin"