Comment 9 for bug 1356679

The problem with #1 is that policy.json is not a sample. So there is no unacceptable problem #1.
The logic of that file is that the default rule applies for any policy which is not explicitly specified.

I think we should provide a sample with all possible policies - this should be doable. The admin guide should already contain a guide for editing policy.json, I'm going to double check that.

Regarding mismatches between rule checks and checks shown in logs, if you refer to situations like the following

DEBUG neutron.policy [...] Failed policy check for 'delete_network'

(((rule:delete_network and rule:delete_network:provider:physical_network) and rule:delete_network:provider:network_type) and rule:delete_network:provider:segmentation_id)

There is nothing unacceptable for me. This depends indeed on the fact that the policy engine has resource-level and attribute-level rules. For deleting a network one has to satisfy both resource-level (the first) and attribute level (the others) rules.

For point #3 this is by-product of the API controller behaviour. Elena is already working on improving that.