The reason for such behavior is quite simple. When the policy engine starts to build rules to enforce it checks for each attribute of a to-be deleted resourse whether it is explicitly set. It's done by checking if an attribute is present and has a non-default value (https://github.com/openstack/neutron/blob/master/neutron/policy.py#L121). In your case with a network, such attributes are: provider:physical_network, provider:network_type and provider:segmentation_id.
Then, for each explicitly set attribute a rule is built. Rules that correspond to each attribute are listed in the policy.json file, but in case some of them are absent, they are replaced by a default rule. That is why, by setting a default rule to be "rule:admin_only", you made it impossible for a non-admin user to delete various resources. For example, if you add
to your policy.json, then network delete will be successfull.
I will investigate, whether the current behaviour may cause problems, but for now I feel that forbidding a regular user to delete a resource which has admin-only attributes is quite logical.
The reason for such behavior is quite simple. When the policy engine starts to build rules to enforce it checks for each attribute of a to-be deleted resourse whether it is explicitly set. It's done by checking if an attribute is present and has a non-default value (https:/ /github. com/openstack/ neutron/ blob/master/ neutron/ policy. py#L121). In your case with a network, such attributes are: provider: physical_ network, provider: network_ type and provider: segmentation_ id.
Then, for each explicitly set attribute a rule is built. Rules that correspond to each attribute are listed in the policy.json file, but in case some of them are absent, they are replaced by a default rule. That is why, by setting a default rule to be "rule:admin_only", you made it impossible for a non-admin user to delete various resources. For example, if you add
delete_ network: provider: network_ type": "rule:admin_ or_owner" network: provider: physical_ network" : "rule:admin_ or_owner" network: provider: segmentation_ id": "rule:admin_ or_owner"
delete_
delete_
to your policy.json, then network delete will be successfull.
I will investigate, whether the current behaviour may cause problems, but for now I feel that forbidding a regular user to delete a resource which has admin-only attributes is quite logical.