Comment 11 for bug 1684320

The fix consists of the following:

  - allowing users to have global role assignments in keystone
  - allowing users to ask for globally scoped tokens

At that point, it's up to the consuming projects to interpret global scope in a consistent way when checking the scope of the request (e.g. is the instance being acted on in the project that the token is scoped to). Each project will need to understand which operations in their API need to check for global scope (e.g. listing all instances in nova regardless of the project they are in is a good example of a request that should require global scope). The global role bits are being implemented in keystone as we speak [0], but they won't be backportable.

As far as the policy.v3cloudsample.json file. Its existence was partially due to the issue I just described. The goal of the policy.v3cloudsample.json file was to provide a sample policy file that understood the differences between a cloud administrator and various roles applied to projects or domains. It requires deployers to create some new roles for their deployment. I think the policy.v3cloudsample.json is something that can dissolve over time, as we make it easier for projects to change default roles required for various operations. OpenStack should have sane default roles out-of-the-box, and when we get to that point, policy.v3cloudsample.json shouldn't be needed.

Hopefully this helps clarify the current approach we're taking.

[0] https://review.openstack.org/#/c/481781/