Manila tempest test fail on identity:list_domains authorisation error:

We are trying to add tempest coverage for Manila to our CI. For this we are using tempest version 29.2.0 with manila-tempest-plugin version 1.8.0.

Most of the manila test run into the following error:
```
manila_tempest_tests.tests.api.test_shares_actions.SharesActionsTest.test_shrink_share
--------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/test.py", line 181, in setUpClass
    raise value.with_traceback(trace)
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/test.py", line 171, in setUpClass
    cls.setup_clients()
  File "/snap/fcbtest/x1/lib/python3.6/site-packages/manila_tempest_tests/tests/api/base.py", line 1277, in setup_clients
    project=cls.admin_project, add_member_role=True)
  File "/snap/fcbtest/x1/lib/python3.6/site-packages/manila_tempest_tests/tests/api/base.py", line 1305, in create_user_and_get_client
    cls.os_admin.domains_client, project_domain_name)
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/cred_client.py", line 274, in get_creds_client
    roles_client, domains_client, project_domain_name)
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/cred_client.py", line 150, in __init__
    name=domain_name)['domains'][0]
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/services/identity/v3/domains_client.py", line 58, in list_domains
    resp, body = self.get(url)
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/rest_client.py", line 314, in get
    return self.request('GET', url, extra_headers, headers)
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/rest_client.py", line 703, in request
    self._error_checker(resp, resp_body)
  File "/home/ubuntu/snap/fcbtest/x1/.rally/verification/verifier-d325834b-d395-48f4-aa36-93cb4bf93884/repo/tempest/lib/common/rest_client.py", line 804, in _error_checker
    raise exceptions.Forbidden(resp_body, resp=resp)
tempest.lib.exceptions.Forbidden: Forbidden
Details: {'code': 403, 'message': 'You are not authorized to perform the requested action: identity:list_domains.', 'title': 'Forbidden'}
```

This is very similar to LP: #1943850, where the Octavia tempest test ran into authorization issues. That was fixed by downgrading the octavia-tempest-plugin to stein-last (which is not an ideal solution). Downgrading the manila-tempest-plugin does not fix the issue.
As a workaround, I can override the keystone policy, but this is not a good solution for a production cloud.

I suspect that the keystone policy needs to be adjusted, or that there are tempest settings that I am missing. My tempest config can be found attached to this bug.