Domain admin is not allowed to create credentials when scope enforcement is enabled

Currently when [oslo_policy] enforce_scope is set to True along with [oslo_policy] enforce_new_defaults = True, domain admins are not allowed to manage credentials.

However this limitation breaks heat, because heat requires creating credentials, which is used by notification mechanism for example, by it's own stack domain admin credential.

```

Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: ERROR heat.engine.check_resource [None req-f3f9047b-8ac5-46f0-b8df-eafa473cb252 demo None] Unexpected exception in resource check.: keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_credential. (HTTP 403) (Request-ID: req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource Traceback (most recent call last):
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/check_resource.py", line 311, in check
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource self._initiate_propagate_resource(cnxt, resource_id,
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/check_resource.py", line 251, in _initiate_propagate_resource
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource input_data = _get_input_data(req_node, input_forward_data)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/check_resource.py", line 233, in _get_input_data
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return rsrc.node_data().as_dict()
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/resource.py", line 1154, in node_data
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource self.FnGetRefId(), attribute_values,
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/resource.py", line 2378, in FnGetRefId
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return self.get_reference_id()
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/resources/aws/cfn/wait_condition_handle.py", line 40, in get_reference_id
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return str(self._get_ec2_signed_url(signal_type=wc))
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/resources/wait_condition.py", line 48, in _get_ec2_signed_url
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource self)._get_ec2_signed_url(signal_type)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/resources/signal_responder.py", line 138, in _get_ec2_signed_url
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource self._create_keypair()
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 128, in _create_keypair
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource kp = self.keystone().create_stack_domain_user_keypair(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 551, in create_stack_domain_user_keypair
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource creds = self.domain_admin_client.credentials.create(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneclient/v3/credentials.py", line 62, in create
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return super(CredentialManager, self).create(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 85, in func
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return f(*args, **new_kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 381, in create
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return self._post(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 191, in _post
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource resp, body = self.client.post(url, body=body, **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 399, in post
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return self.request(url, 'POST', **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 552, in request
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 255, in request
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource return self.session.request(url, method, **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/session.py", line 985, in request
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource raise exceptions.from_response(resp, method, url)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_credential. (HTTP 403) (Request-ID: req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
```