Comment 1 for bug 1616669

One example problem case is where you are the admin of a project; the admin_and_matching_domain_id rule is defined as "rule:admin_required and domain_id:%(domain_id)s". Since in the existing code the domain_id:%(domain_id)s is equivalent to user_domain_id==user_domain_id it always passes and thus you are a domain admin.

openstack_dashboard/api/keystone uses this rule for 'is_domain_admin', which then tries to make API calls against keystone that will fail depending how keystone's policy file is set up (and logically should fail).