Unlock/Lock can now be user actions

Havana allowed lock & unlock to be performed by
users, in addition to admins. This updates the policy.json
example to be in line with the sample

Change-Id: I6a81d1890173672149293ee41bfa9e553cfb9e04
Closes-Bug: 1206724

doc/common/section_keystone-concepts-user-management.xml

@@ -117,6 +117,7 @@
     "compute:create:attach_network": ["role":"compute-user"],
     "compute:create:attach_volume": ["role":"compute-user"],
     "compute:get_all": ["role":"compute-user"],
+    "compute:unlock_override": ["rule":"admin_api"],
 
     "admin_api": [["role:admin"]],
     "compute_extension:accounts": [["rule:admin_api"]],
@@ -125,8 +126,8 @@
     "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
     "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
     "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
-    "compute_extension:admin_actions:lock": [["rule:admin_api"]],
-    "compute_extension:admin_actions:unlock": [["rule:admin_api"]],
+    "compute_extension:admin_actions:lock": [["rule:admin_or_owner"]],
+    "compute_extension:admin_actions:unlock": [["rule:admin_or_owner"]],
     "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
     "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
     "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],