# Pastebin MjfyuUtB
(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ python t-policy-using-role-assignments.py 
{
    "fleet:audit": "(role:admin or (principal:%(principal)s and role_:%(role_)s and resource:%(resource)s))"
}
(craton) ubuntu@ubuntu-xenial:~/craton/craton/common$ python policy.py 
{
    "example:my_file": "(role:compute_admin or project_id:%(project_id)s)",
    "example:denied": "false:false",
    "true": "",
    "example:allowed": "",
    "example:early_and_fail": "(false:false and rule:true)",
    "example:lowercase_admin": "(role:admin or role:sysadmin)",
    "example:uppercase_admin": "(role:ADMIN or role:sysadmin)",
    "example:early_or_success": "(rule:true or false:false)",
    "example:get_http": "http:http://www.example.com"
}
Traceback (most recent call last):
  File "policy.py", line 53, in <module>
    ENFORCER.enforce(lowercase_action, target, credentials, do_raise=True)
  File "/home/ubuntu/craton/lib/python3.5/site-packages/oslo_policy/policy.py", line 735, in enforce
    raise PolicyNotAuthorized(rule, target, creds)
oslo_policy.policy.PolicyNotAuthorized: {} is disallowed by policy rule example:lowercase_admin with {}