Comment 4 for bug 1290537

I've confirmed the behaviour, and it seems that it's likely been this way for a while.

The trend in the OpenStack API has been to move policy out of the compute api and into the API itself. Even the existing checks on add_to_instance/remove_from_instance are likely to go away at some point. So to keep in line with that the fix for this would be to add policy checks into the ec2 API.

The code for policy enforcement is non invasive and easily backportable but we'll want to set a default policy that won't cause a problem for deployments. As mentioned by Marc, the current "compute:security_groups" rule isn't listed which means it uses the default rule. The default for the default rule is to limit calls to admins or users who share a project_id with the security group. If we set up new policies for the security group calls that use the default rule it may break a use case that relies on the unrestricted behaviour currently available, but I believe that's ok. And using the default rule will put the new policies in line with the existing policies for security groups calls.