In the policy.v3cloudsample.json there is the rule "admin_or_owner" that is defined as "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", and the tests for it ( https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L7 ) , specially this keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token shows it's working as expected. The rule "admin_required" is defined only as "role:admin" ( https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L2 ), so I changed the rule "admin_or_owner" to "(role:admin and domain_id:%(target.token.user.domain.id)s) or rule:owner" and the test raises a error saying that the user has no permission to do the action. As it's the same rule, it wasn't suppose to raise errors. But it doesn't stop there, when I rearrange the rule order to be like this: "admin_or_owner": "rule:owner or (role:admin and domain_id:%(target.token.user.domain.id)s)" it works.
This sounds like a bug in the way the rules processor is working. This may not actually be a bug in keystone but a bug in the oslo policy library or a way we're invoking the enforcer.
I'm curious what happens in the case the token matches rule:admin and domain_id" in the second case.