Essex Keystone Authorization Structure

Provide more structure around high-level user-centered authorization by:
1. adding in capabilities that services & their endpoints provide
2. Bundling capabilities together into a "role"
3. Assigning roles to individual users or groups of users
4. Supporting restricted capabilities - (ex: John Doe has access to the "Delete Files" capability only on resource "myserver.server.com" through the control panel endpoint "myreach.os.org".
5. Allowing non-tenant and even non-openstack-user authorization to select resources as determined by the owning tenant admin (possibly through oAuth)