Owner role is broken in default v2 policy file

That's originally by design, but I agree with the notion that users should be able to delete their own tokens, even though it's traditionally an administrative function (I see it as "logging out").

Actually it is a bug.

Basically the owner rule is broken. So I won't be able to change my own password unless I'm an "admin"

e.g
"identity:change_password": "rule:admin_or_owner",

In that case, you'll match "user_id:%(user_id)s" if the identity presented in your token matches the user ID in the route.

Though it works by matching user_id , it is wrong behavior

Say I want to change your password with my token

 if I do

POST /v3/users/<your_user_id> with my token, it will think you as the owner.

I will expect 401 Authz error, but I believe I will get password doesn't match since I may not be knowing your original password which is part of POST request body.

I will confirm this and update the bug details.

The original password is not required for an administrative password reset - I think you're getting that call confused with the self-service password update call?