Comment 3 for bug 1540939

I think the problem we are having is that we added "VMAdmin" to the delete port rule.

We have this:

    "owner": "tenant_id:%(tenant_id)s",
    "admin_or_vm_admin_owner": "role:admin or (tenant_id:%(tenant_id)s and role:VMAdmin)",
    "admin_or_vm_admin_network_owner": "role:admin or (tenant_id:%(network:tenant_id)s and role:VMAdmin)",
    "vm_admin_owner_or_vm_admin_network_owner": "rule:admin_or_vm_admin_network_owner or rule:admin_or_vm_admin_owner",

    ...

    "delete_port": "rule:vm_admin_owner_or_vm_admin_network_owner or rule:context_is_advsvc",

So it takes VMAdmin to delete a port, but the user in this case did not have that role when deleting an instance.

I'm going to reopen this bug to see if nova can change to use admin to delete the port, if the neutron port binding extension is enabled.