Comment 5 for bug 1674349

Yes, we can add a policy rule like:

    "service_role": "service_roles:<role_name>"
    "update_port:binding:host_id": "rule:admin_only or rule:service_role"

At now, oslo.context provides several service_xxxx fields [1]. we can discuss what kind of default rules would be nice for nova (or other services).

[1] http://git.openstack.org/cgit/openstack/oslo.context/tree/oslo_context/context.py#n281