Comment 1 for bug 1789499

The issues really there (I tried in devstack, everything is on master).

What I see is however that the policy rule enforcement works in a little tricky way for GET (perhaps for other operations as well, but I checked GET).

So let's see GET /agents, which is admin_only operation by policy.json:

$ grep get_agent /etc/neutron/policy.json
    "get_agent": "rule:admin_only",

1.) Let's see as tenant=admin, user=admin:
$ echo $OS_PROJECT_NAME ;echo $OS_TENANT_NAME ;echo $OS_USERNAME
admin
admin
admin

$ export MY_TOKEN=$(openstack token issue -c id -f value)

$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/agents
{"agents": [{"binary": "neutron-openvswitch-agent"........},.....]}

2.) Let's see the same as project=demo, user=demo
$ echo $OS_PROJECT_NAME ;echo $OS_TENANT_NAME ;echo $OS_USERNAME
demo
demo
demo

$ export MY_TOKEN=$(openstack token issue -c id -f value)

$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/agents
{"agents": []}

So the user really can't see the agents, which is allowed only for admin.
I am not sure/not qualified to tell what would be the good behaviour:
1) Give an exception to the user (like http403, and some text for it: "rule:delete_flavor is disallowed by policy....").
2) Or pretend to show something end give back an empty list, like it is now. I don't know the historical reasons, but these topics are the ones to chew by security guys.