I think the problem we are having is that we added "VMAdmin" to the delete port rule.
We have this:
"owner": "tenant_id:%(tenant_id)s",
"admin_or_vm_admin_owner": "role:admin or (tenant_id:%(tenant_id)s and role:VMAdmin)",
"admin_or_vm_admin_network_owner": "role:admin or (tenant_id:%(network:tenant_id)s and role:VMAdmin)",
"vm_admin_owner_or_vm_admin_network_owner": "rule:admin_or_vm_admin_network_owner or rule:admin_or_vm_admin_owner",
...
"delete_port": "rule:vm_admin_owner_or_vm_admin_network_owner or rule:context_is_advsvc",
So it takes VMAdmin to delete a port, but the user in this case did not have that role when deleting an instance.
I'm going to reopen this bug to see if nova can change to use admin to delete the port, if the neutron port binding extension is enabled.
I think the problem we are having is that we added "VMAdmin" to the delete port rule.
We have this:
"owner": "tenant_ id:%(tenant_ id)s", or_vm_admin_ owner": "role:admin or (tenant_ id:%(tenant_ id)s and role:VMAdmin)", or_vm_admin_ network_ owner": "role:admin or (tenant_ id:%(network: tenant_ id)s and role:VMAdmin)", admin_owner_ or_vm_admin_ network_ owner": "rule:admin_ or_vm_admin_ network_ owner or rule:admin_ or_vm_admin_ owner",
"admin_
"admin_
"vm_
...
"delete_port": "rule:vm_ admin_owner_ or_vm_admin_ network_ owner or rule:context_ is_advsvc" ,
So it takes VMAdmin to delete a port, but the user in this case did not have that role when deleting an instance.
I'm going to reopen this bug to see if nova can change to use admin to delete the port, if the neutron port binding extension is enabled.