Whenever you have the time, could you please say a word or two on what are your thoughts about this? If you are aware of us having any way to implement authorization based on user_id, now or in the future?
Thanks in advance.
So, the upstream consensus is that the policy modification using user_id was not something Nova was supporting because it was not verified (even not known, only by operators).
When the API version was bumped to v2.1, we then haven't checked if the non-supported features were yet fine. That's not something we can call it a regression if the non-supported feature was no longer working, as also it's not a API modification but rather only a fluke of the policy engine.
That said, the Nova upstream community understands it can be a feature for operators (at least for deleting instances only) and that's why the consensus was also to create a new blueprint (and a spec) for now supporting it in Newton (for v2.1 only since v2.0 is only stable/supported).
Given the above is not yet something merged upstream (even not yet accepted), I think we should WONTFIX the behaviour here for OSP8 (Liberty) and rather change the documentation to explicitly remove any comment about modifying the policy file for that, and rather tell to users that they can use the lock operation for making sure other users (from the same project) can't delete their own instances.
(In reply to Sylvain Bauza from comment #8)
Awesome, thanks for the link, Sylvain.