This commit adds explicit tests that show how domain users
are expected to behave with global roles. A subsequent patch
will do the same for project users.
Note that these changes are slightly different from the
policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
domain users were allowed to get and list global roles. So were
project users. This behavior is changing because global roles are
considered global resources of the deployment, and they should be
managed by system users. Domain users should be able to add and remove
domain specific roles, which will come in a subsequent series of
patches. This approach is being taken because it is a safer default
for a system level resource (roles) and still allows the same
functionality for domain users through domain-specific roles.
Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
Partial-Bug: 1806713
Partial-Bug: 1805400