Associate and Select policy for endpoint

The policy backend only allows selecting policy based on an identifier. In order to vary the policy used among endpoints, the endpoints need to know their own identity and request the policy file from Keystone that corresponds with it. Due to the sensitive nature of the data, it needs to be controlled via RBAC such that a policy to endpoint assignment for one endpoint cannot mask a different endpoint record that sets the same URL, either by accident or intentionally.

Service catalog entries will be managed by domains and projects. The existing set of services and endpoints will be managed under "root" and be globally accessible to all users by default. However, other users (with the assigned role role) will be allowed to create service and endpoint entries under specific domains or projects.

API extensions:
create service and create endpoint will both take an optional "scope_id" value and "scope_type" that can be either "project" or "domain."

Catalog will contain new APIs with the corresponding methods on the controller

1. POST assign policy to scope. The sope will be one of project, domain, service, or endpoint.
2. GET policy for endpoint. This will find the policy file best suited to the endpoint. The process will be: search for an entry that matches the endpoint ID exactly. Start in the containing project, and then work up the hierarchy. If no endpoint specifi policy file is found, search for a policy file that for the service of the endpoint. In all cases, the definition lower on the hierarchy is favored.