Nova does not restrict the policy by user_id except keypairs API. We have kept it for a few of the destructive actions (for backwards compatibility) and intent to remove them too in future. I remember we discussed this in 2016 but I could not find the ML thread for that but
the consensus that time was we do not intend to support user_id based restriction permission in the API.
This is the spec where we kept the user_id support for destructive actions and the reason.
As we are moving our policy to new defaults (with new direction), after that we should discuss removing all the user_id enforcement support except keypair. But definitely should not extend it for any other action.
Nova does not restrict the policy by user_id except keypairs API. We have kept it for a few of the destructive actions (for backwards compatibility) and intent to remove them too in future. I remember we discussed this in 2016 but I could not find the ML thread for that but
the consensus that time was we do not intend to support user_id based restriction permission in the API.
This is the spec where we kept the user_id support for destructive actions and the reason.
https:/ /specs. openstack. org/openstack/ nova-specs/ specs/newton/ implemented/ user-id- based-policy- enforcement. html
As we are moving our policy to new defaults (with new direction), after that we should discuss removing all the user_id enforcement support except keypair. But definitely should not extend it for any other action.