The problem with #1 is that policy.json is not a sample. So there is no unacceptable problem #1.
The logic of that file is that the default rule applies for any policy which is not explicitly specified.
I think we should provide a sample with all possible policies - this should be doable. The admin guide should already contain a guide for editing policy.json, I'm going to double check that.
Regarding mismatches between rule checks and checks shown in logs, if you refer to situations like the following
DEBUG neutron.policy [...] Failed policy check for 'delete_network'
(((rule:delete_network and rule:delete_network:provider:physical_network) and rule:delete_network:provider:network_type) and rule:delete_network:provider:segmentation_id)
There is nothing unacceptable for me. This depends indeed on the fact that the policy engine has resource-level and attribute-level rules. For deleting a network one has to satisfy both resource-level (the first) and attribute level (the others) rules.
For point #3 this is by-product of the API controller behaviour. Elena is already working on improving that.
The problem with #1 is that policy.json is not a sample. So there is no unacceptable problem #1.
The logic of that file is that the default rule applies for any policy which is not explicitly specified.
I think we should provide a sample with all possible policies - this should be doable. The admin guide should already contain a guide for editing policy.json, I'm going to double check that.
Regarding mismatches between rule checks and checks shown in logs, if you refer to situations like the following
DEBUG neutron.policy [...] Failed policy check for 'delete_network'
(((rule: delete_ network and rule:delete_ network: provider: physical_ network) and rule:delete_ network: provider: network_ type) and rule:delete_ network: provider: segmentation_ id)
There is nothing unacceptable for me. This depends indeed on the fact that the policy engine has resource-level and attribute-level rules. For deleting a network one has to satisfy both resource-level (the first) and attribute level (the others) rules.
For point #3 this is by-product of the API controller behaviour. Elena is already working on improving that.