Comment 3 for bug 1356678

I used the same policy.json as the sample [0]. There you will find:

    "update_router:add_router_interface": "rule:admin_or_owner",
    "update_router:remove_router_interface": "rule:admin_or_owner",

But those rules are not checked when you try to add or remove an interface from a router with something like this:

    def add_router_interface(self, router_id, subnet_id):
        body = {
            'subnet_id': subnet_id
        }

        return self.client.add_interface_router(router=router_id, body=body)

Instead, I verified that the policies that are being checked are: "add_router_interface" and "remove_router_interface" -- notice that they don't have the "update_router:" prefix -- which are not in the sample policy.json [0].

The bug showed up when I changed the "default" policy from "admin_or_owner" to "admin_only", and tried to add/remove the interface as a member of a project (owner). When the default rule was admin_or_owner, those rules which are not listed in the sample policy.json falled back to the "default" rule and things went ok, but when it was "admin_only", the fallback did not allow the owner to update his/her router.

[0] https://github.com/openstack/neutron/blob/master/etc/policy.json